Personally Identifiable Information Regarding some of the most High-Profile 
Internet Cybercriminals Cybercrime Gangs and Various Internationally Recognized 
Cyber Threat Actors 


by Dancho Danchev 


24.07.2021 


HackPhreak Group Members Include: 


Bronc Buster, Lothos, Overdose, Truedog, x-empt, phriction, ntwakO, Gridmark, Phemetrix, 
Mnemonic, tOuchtOne, muted, espionage, mercs, kanuchsa, Morbid Angel, Lucii, optiklenz, cap 
n crunch, tip, icer, sreality, Zyklon, havoc, HyperLogik, Defiant, Duncan Silver. Slfdstrct, lothos 


Group's founder: Charlie Wellborne - rloxley@hackphreak.org 
Personally identifiable information for Digital Ebola: 
Digital Ebola - Email: digi@legions.org 

AIM: digitalebola1 

ICQ: 70001776 

IRC: Undernet #legions, Efnet #ampedout 

MUD: sensenet.legions.org port 5555 

digi@wintermute.linux.tc 


digi@wintermute.unixgeeks.com 


Sample HackPhreak network infrastructure reconnaissance: 
http://wintermute.legions.org - 66.12.11.162 
http://neuromancer.legions.org - 66.12.11.171 
http://cyberspace7.legions.org 

http://sensenet.legions.org 

http://straylight.legions.org 

http://monkeyboxing.legions.org - 66.12.11.170 
http://boomzilla.legions.org 

Ihttp://uckydragon.legions.org - 66.12.11.172 
http://walledcity.legions.org 

http://aleph.legions.org 

Sample Personal Emails belonging to HackPhreak members: 


digi@wintermute.linux.tc, digi@wintermute.unixgeeks.com, digi@legions.org, ks@rmci.net, 
digi@linuxpron.com, fejed@legions.org, proto@legions.org, shekk@smurfs.com, 
wak0@legions.org, super@ce.net, threx@attrition.org, phric@legions.org, fejed@legions.org, 
threx@attrition.org, digi@legions.org, sodium@omega2.net, fejed@legions.org, 
godess@securityflaw.com, ntwako@legions.org, anonymous@legions.org, phric@legions.org,, 


CogitoESum@yahoo.com, ddfelts@ultravision.net, gimps@legions.org, gridmark@legions.org, 


davidj@wiretapped.net, dayzee@madsekci.net, clocker@adelphia.net, dayzee@madseckzi.net, 


flutterby 2001@hotmail.com, syntech@intraworldcom.net, j.p@b3ssi3.ant10nline.com, 
morbie@legions.org, prOOf@prOOf.org, cippa@hobbiton.org, beowulf3 @telocity.com, 
adonisi@videotron.ca, alkinoos@project802.net, vecna@sOftpj.org, cogitoesum@yahoo.com, 


ntwakO0@safehack.com, archimedes@security-foundation.net, 


gridmark@planetmotherfucker.net, ruben@generation.nl, vecna@insertcoint.net, 
kiddish@hehe.com, blooddjinn@hotmail.com 


Sample personal photo of HackPhreak's Founder - Charlie Wellborne: 


Sample Personal Photos of HackPhreak Group Members: 


Related domains known to have been involved and managed and operated by 
HackPhreak Team: 


shOdan.org 
antilimit.net 
sinnerz.com 
codez.com 
r0ot.org 
rootshell.com 
insecurity.org 
crackhouse.com 
acheron.net 
mastaz.org 
r0ot.org 
exceed.net 
7thsphere.com 
sekurity.org 
d-lab.com.ar 
technotronic.com 
simplenet.com 
linuxwarez.com 
fth.org 

o Exposing Anonymous Indonesia — An In-Depth Analysis 
Real Name: Cyb3r00T 


Personal Photo: 
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Personally Identifiable Information: Email: cyb3r00t.linux@gmail.com; 
SoraCyberTeam@gmail.com including the following Facebook account 
(https://www.facebook.com/Cyb3r00T.go.id) including the following GitHub account 
(https://github.com/soracyberteam) including the following YouTube account 
(https://www.youtube.com/cyb3r00t) including the followinfg Twitter account 
(https://twitter.com/soracyberteam) 


Sample Personal Logo of Cyb3r00T Member of Anonymous Indonesia a.k.a 
SoraCyberTeam: 


iSt) {4 iso sik penting 


Bisa gaa bisa yang penting tetap Cyber Team! 


DE FACE. 
WEBSITE. 
MALAY SIA?!277 


BY CusbsrooT - Sera Ct 


o Exposing FBI's Most Wanted Iranian Cybercriminals — An In-Depth 
Analysis 


Sun Army Team Members: 

Nitrojen26, Mehdy007, MagicCoder, tHe.Mo3tafA, Plus, BodyGuard 

Sample Network Infrastructure Reconnissance: 

hxxp://sun-army.org - 185.53.179.10 - Email: Sun.Army@asia.com; Lord.private@ymail.com 
Name: Omid Ghaffarinia 

Handle: Plus 


Email: omid.ghaffarinia@gmail.com; plus.ashiyane@gmail.com; 


omid.ghaffarinia@alum.sharif.edu 
Phone: 091 2444 9002 
Web Site: http://alum.sharif.ir/~omid.ghaffarinia/; 


http://alum.sharif.ir/~omid.ghaffarinia/; http://omidplus.persiangig.com/; 


Social Media Accounts: https://plus.google.com/109226633947780718251° 
https://plus.google.com/109226633947780718251 


Handle: MagicCoder 

Email: MagicCOd3r@qmail.com 

Web Site: http://magiccoder.ir 

Handle: Mehdy007 

Email: mehdyO07@hotmail.fr 

Web Site: http://mehdy007.persiangig.com 


ITSec Team a.k.a Amn pardazesh kharazmi a.k.a Pooya Digital Security Group 
Members: 


Pejvak, M3hr@n.S, Am!rkh@n, Doosib, H4mid@Tm3l, R3dmO0ve, Provider, ahmadbady 


Sample Team Member Personally Identifiable Information: 
Name: Amin Shokohi 

Handle: Pejvak 

Email: pejv4k@yahoo.com 

Web Site: http://pejv4k.persiangig.com; http://pejv4k.110mb.com 
Handle: Mehr@n.S 


Email: M3hran.S@qmail.com 

Sample Network Infrastructure Reconnaissance: 
http://itsecteam.com 

Name: Mohammad Sagegh Ahmadzadegan 

Handle: Nitrojen26 

Email: nitrOjen26@asia.com; Nitrojen26@yahoo.com; me@sadahm.net 
Web Site: http://sadahm.com 

Social Media Accounts: https://twitter.com/nitrojen26 


Personal Photos: 


Personal Photo: 


ie 
Iranische Kinderkrebshilfe e.V. 1K ON 


Iransche Kinderkrebshife 9 ¥. Eekbusch 49. D - 22295 Hamburg Address a: IGndeshrebehiie eV 
Eekbu: 

22308 Hamburg 

Mr. Sadegh Ahmadzadegan oes 
Mr. Omid Ghaffarinia 


Phone: +49 (40) 23994557 
Telefax 49 (40) 23984866 
Email indogRikkh de 

Ur wow kkh.de 
Bank Hamburger Spark 


RSS 
IBAN. DC27 2005 0550 1353 1336 38 
BIC: HASPOEHHXxx 


Your reference Your better dated Our reterence Date 
26.07.2016 


Dear Mr. Ahmadzadegan, dear Mr. Ghaffarinia, 


We would like to seize this opportunity to convey our sincere gratitude for your donation of 
2,70S.- € to our charity Iranische Kinderkrebshilfe e.V.. Your donation will be transferred to 
MAHAK — the Society to Support Children Suffering from Cancer in Iran for procuring required 
medication for treating cancer. 


Children receiving treatment due to philanthropic acts like yours will have the chance for hope 
towards a brighter future for themselves and their families, You are truly influencing the life 
of others towards a tangible improvement. 


Thank you again tor your generous support of the effort to help children suffering fram cancer. 


Sincerely yours 


/ 22395 Mamnbury 
www. ikkh de 
Maryam Ghanaati 

Head of Managing Committee 

lranische Kinderkrebshilfe eV. 


BANKING / INVESTMENTS \ ADVISORY 


Confirmation of Payment 


FT16195807737763 of 2705.00 EUR dated 13/07/2016 18:25, sender: ABLV BANK, AS (RIGA, LATVIA, AIZKLV22XXxX), receiver: BANK OF 
LATVIA, RIGA LATVIA, LACBLV2XXXX 


SENDER’S CORRESPONDENT LACBLV2XXXX 

BANK BANK OF LATVIA 
RIGA LATVIA 

OUR REFERENCE FT16195807737763 

VALUE DATE 14/07/2016 

SETTLED AMOUNT 2705.00 EUR 

ORDERING CUSTOMER LV60AIZK0000010369163 
745739-2036711 
TELEGRAM CORP. 


50th Street,Global Bank Tower, PANAM 
ACITY,PROVINCE OF PANAMA,PA 


ORDERING INSTITUTION AIZKLV22XXX 
ABLV BANK, AS 
RIGA LATVIA 


BENEFICIARY'S BANK 
HAMBURGER SPARKASSE AG 
HAMBURG GERMANY 


BENEFICIARY DE27200505501353133638 
\ranische Kinderkrebshilfe e.V. 


DETAILS OF PAYMENT Contract for services 
DETAILS OF CHARGE SHA 


Electronic signature: DBOOO2D5FE 14A7170CAC20E25A312E13 


Work for results 


In business, like in sports, only the weak may be happy with 
mere participation. We are there for getting results and 
achieving aims 


More about us — www.ablv.com/en 


AS / Registration No. $0003149401 
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Sample Maltego SNA (Social Network Analysis) of FBI's Most Wanted Iranian Cybercriminals 
Sun Army Team Members including ITSec Team Members and the Mersad Co. Company: 


—=  —— github. om 
Re ee a 


Sample Maltego SNA (Social Network Analysis) of FBI's Most Wanted Iranian Cybercriminals 
Sun Army Team Members including ITSec Team Members and the Mersad Co. Company: 
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* 
Sun.Arny @Asia.com 


patfarne@aum sna! 


” nesy @nost.sk 
Pooy a Digtal Securty Group net 
mia eo © ©. 


Sample Maltego SNA (Social Network Analysis) of FBI's Most Wanted Iranian Cybercriminals 
Sun Army Team Members including ITSec Team Members and the Mersad Co. Company: 


Sample Maltego SNA (Social Network Analysis) of FBI's Most Wanted Iranian Cybercriminals 
Sun Army Team Members including ITSec Team Members and the Mersad Co. Company: 


© Exposing Koobface Botnet's Anton Nikolaevich Korotchenko — An In-Depth Analysis 


o Exposing Evgeniy Mikhaylovich Bogachev — An In-Depth Analysis 
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Sample Personal Photo of Evgeniy Mikhaylovich Bogachev 


Sample Personal Photo of Evgeniy Mikhaylovich Bogachev 


: _ - 
Sample Personal Photo of Evgeniy Mikhaylovich Bogachev 


Personally Identifiable Information: Evgeniy Mikhaylovich Bogachev is the primary 
operator of the Jabber ZeuS botnet and is known to be using the following email addressess - 
bashorg@talking.cc; luckycats2008@yahoo.com; alexgarbar-chuck@yahoo.com; 
bollinger.evgeniy@yandex.ru; charajiang16@gmail.com - 112.175.50.220 and is known to have 
lived at the following address - Lermontova Str. Anapa, Russian Federation and is known to be 
using the following IM account - lucky12345@jabber.cz including the following ICQ numbers - 
42729771; 312456 including the following related domains - http://visitcoastweekend.com - 
103.224.182.253; 70.32.1.32; 192.184.12.62; 141.8.224.93; 69.43.160.163 


http://incomeet.com - 192.186.226.71; 66.199.248.195 http://work.businessclub.so 


Real Name: Galdziev Chingiz 


Related domains known to have participated in the campaign: http://fizot.org - 
http://fizot.com - 50.63.202.35; 184.168.221.33 - http://poymi.ru - 109.206.190.54 


Related name servers known to have participated in the campaign: ns1.fizot.com - 
35.186.238.101 - ns2.fizot.com 


Related domain including an associated email using the same name server: - 
http://averfame.org - harold@avereanoia.org 
Google Analytics ID: UA-3816538 


Related domains known to have participated in the campaign: http://awmproxy.com - 
http://pornxplayer.com 


Related emails known to have participated in the campaign: fizot@mail.ru 


xtexgroup@gmail.com, xtexcounter@bk.ru 


Related domains known to have responded to the same malicious and fraudulent IP 


- 178.162.188.28: http://dnevnik.cc http://xvpn.ru http://xsave.ru http://anyget.ru 
http://nezayti.ru http://proproxy.ru http://hitmovies.ru http://appfriends.ru 


http://naraboteya.ru http://naraboteya.ru http://awmproxy.com http://zzyoutube.com 
http://pornxplayer.com http://awmproxy.net http://checkerproxy.net 


Related domains known to have participated in the campaign: 
http://fizot.livejournal.com, http://russiaru.net/fizot 


Instant Messaging Account: ICQ - 795781 


Related personally identifiable information of Galdziev Chingiz: http://phpnow.ru ICQ - 
434929 Email: info@phpnow.ru 


Related domains known to have participated in the campaign: http://filmv.net 
http://finance-customer.com http://firelinesecrets.com http://fllmphpxpwqeyhj.net 
http://flsunstate333.com 


Related individuals known to have participated in the campaign: 


Slavik, Monstr, IOO, Nu1i, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, 
Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petrOvich, Mr. ICQ, 
Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis 
Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, 
jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, 
kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechanizm, vlad.dimitrov, jheto2002, 
sector.exploits 


Related Instant Messaging accounts and emails known to have participated in the 
campaign: 


iceix@secure-jabber. biz 
shwark.power.andrew@gmail.com 
johnlecun@gmail.com 
gribodemon@pochta.ru 


glazgo-update-notifier@gajim.org 


gribo-demon@jabber.ru 


aqgua@incomeet.com 
miami@jabbluisa.com 


um@jabbim.com 


hof@headcounter.org 


theklutch@gmail.com 


niko@grad.com 
Johnny@guru.bearin.donetsk.au 
petrOvich@incomeet.com 
mricq@incomeet.com 
T4ank@ua.fm 
tank@incomeet.com 

getready @safebox.ru 


john.mikley@mail.com 


alexeysafin@yahoo.corn 


rnoscow.berlin@yahoo.com 


cruelintention@email.ru 


bind@ernail.ru 


firstmeni7@rarnbler.ru 


benny@jabber.cz 


airlord1988@gmail.com 
bxl@hotmail.com 
i_amhere@hotmail.fr 
daniel.h.b@universityofsutton.com 
princedelune@hotmail.fr 
bxl_@msn.com 
danibxl@hotmail.fr 
danieldelcore@hotmail.com 
d.frank@jabber.jp 
d.frank@Online.at 
duo@jabber.cn 
fering99@yahoo.com 
secustar@mail.ru 
h4x0rdz@hotmail.com 
Donsft@hotmail.com 
mary.j555@hotmail.com 
susanneon@googlemail.com 


kainehabe@hotmail.com 
virus _e 2003@hotmail.com 
spanishp@hotmail.com 
sere.bro@hotmail.com 
lostbuffer@hotmail.com 
lostbuffer@gmail.com 
vlad.dimitrov@hotmail.com 
jheto2002@gmail.com 


sector.exploits@gmail.com 


© Exposing Iran's Ashiyane Digital Security Team — An In-Depth Analysis 
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http://ashiyane.ir - 108.162.197.211; 108.162.196.211 - Email: securehostcenter@gmail.com ; 
Email: ashiyane.center@gmail.com on 2006-09-25 ashiyane.ir is known to have been 


registered with the following email Email: nima.salehi@yahoo.com 

http://ashiyane.org - 141.101.116.247; 141.101.117.247 - Email: ashiyane.center@gmail.com 
on 2004-01-18 http://ashiyane.org is known to have been registered with the following email 
Email: behrooz_ice@yahoo.com on 2005-01-07 ashiyane.org is known 

to have been registered with the following email - Email: iranweb@socal.rr.com 


The group's members currently consist of Q7X, unique2world, MR.SAMAN, 
MostafaBestMan, hossein19123, Encoder, C4T, VIR4N64R, ERroR, aprilyaa, Azad, .exe, 


Azazel, Cyb3r_Inj3ctOr, Programmer, Milad22, am118, N4H, majidflash, II_Invisible_IT, 
AliAkh, Sha2ow, Kaz3m, jooooondost, MehrdadLinux, Classic, TeVeN, Mute, EviL 
ShaDoW, Black-Hole, Angel—D3m0n, iman_taktaz, Rizux, AR455, Rz04, ardavan2, The 
Smith, Ali_Eagle, HASSAN20. 


Name: Behrooz Kamalian a.k.a Behrooz_Ice 
Born on: 15th of May, 1983 
Email:behrooz.kamalian@yahoo.com ; behrooz.kamalian@gmail.com ; 


behrooz_ice@yahoo.com 


Google Plus: http://plus.google.com/107725945276429650317/posts 


Facebook: http://facebook.com/behrooz.kamalian 


Mobile: +1912-737-2388 
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Name: Nima Salehi a.k.a Q7X 

Born on: 24th of November 

Studied at: Sadra University 

Email: nima.salehi@yahoo.com 
Facebook: http://facebook.com/ashiyane 


hossein19123 - Email: hossein19123@yahoo.com 
PrOgrammer - Email: prOgrammer.ashiyane@gmail.com 
Milad22 - Email: Milad_a.kh22@yahoo.com 

Sha2ow - Email: Sha2ow@hackermail.com 

iman_taktaz - Email: ashiyane_org@yahoo.com 


unique2world - Email: unique2world@qmail.com 


Sample Personal Photos of Ashiyane Digital Security Team Members: 


Sample personally identiable email address accounts for members of the Ashiyane 
Digital Security Team including related members of Iran-based and lone Iran-based 
hackers and hacking groups: 


mostafai@jdsharif.ac.ir 
farahmadnd1985@yahoo.com 
securehostcenter@gmail.com 
ashiyane.center@gmail.com 
nima.salehi@yahoo.com 
behrooz_ice@yahoo.com 
iranweb@socal.rr.com 
behrooz.kamalian@yahoo.com 
behrooz.kamalian@gmail.com 
hosseini9123@yahoo.com 
prOgrammer.ashiyane@gmail.com 
Milad_a.kh22@yahoo.com 
Sha2ow@hackermail.com 
ashiyane_org@yahoo.com 


unique2world@gmail.com 


V30sharp@yahoo.com 
support@multivpn.info 
eparsdata@gmail.com 
parshost1@gmail.com 
mr.xp.20@gmail.com 
mr.xpr@att.net 
xpr_program@yahoo.com 
hosseinxpr@gmail.com 
hellboy.blackhat@yahoo.com 
datacoders25@gmail.com 
h-skeepy @att.net 
nic.ir@live.com 
h.sk33py@y7mail.com 
skychat_vhd@yahoo.com 
v.elmi67@yahoo.com 
goldhat@hackermail.com 
mr_det3ctOr@yahoo.com 
turkish_boy73@yahoo.com 
ali0511@irsecteam.org 
keyoube@yahoo.com 
babolhost@gmail.com 
silentxhacker@yahoo.com 
xehsan902@gmail.com 
saeidperak@yahoo.com 
raminshahkar73@yahoo.com 
mtn97.hacker@yahoo.com 
sajjad13and11@yahoo.com 
midia595@yahoo.com 
Dead.Zone@att.net 
Pashekosh8@gmail.com 


pashe_kosh8@yahoo.com 


pashe_kosh9@yahoo.com 
Faridmahdavi90@yahoo.com 
Mazhar_FashisT@yahoo.com 
Mazhar.Fashist@gmail.com 
|_|_darklOrd_l_l@yahoo.com 
Fire.Mafia@yahoo.com 
I20odon@yahoo.com 
Xhacker42@yahoo.com 
kinglet7@gmail.com 
ica_r00t@yahoo.com 
arta_ir313@yahoo.com 
sil3nt_sil3nt@yahoo.com 
n0_sec@yahoo. it 
Faghat_be_khatere_to6000@yahoo.com 


e Cyber Threat Actor Profiling 
o Exposing 29A Virus Coding Group 


Personal email belonging to the group: 29A@sourceofkaos.com 


Group's personal Web site: http://sourceofkaos.com/homes/29a/ 


Second group's Web Site: http://www.29a.net/ - Email: mOn305@terra.es 


Personally identifiable information for GriYo: — Spain — Email: griyo@akrata.org - 
http://www.geocities.com/Area51/Corridor/2618 - Email: Dreamcatcher5072@aol.com - Email: 


griyo@hellsparty.com; griyo29A@hotmail.com- http://griyo.hellsparty.com - Email: 
griyo@bi0.net - https://twitter.com/griyo666- http://vxug.fakedoma.in - 


https://www.facebook.com/pg/djgriyo 

Personal Emails belonging to 29A Team Members: 
- Jacky Qwerty — Peru - jqwerty@cryogen.com 

- Mental Driller — Spain - mental_driller@hotmail.com 

- Reptile - Canada - bwaha@hotmail.com 

- SoPinky — Argentina - msopinky@hotmail.com 


- Super — Spain - super _29a@mixmail.com 

- Tcp — Spain - tcp@cryogen.com 

- Vecna — Brazil - vecna@antisocial.com 

- VirusBuster — Spain - darknode@oninet.es - Email: virusbuster@terra.es 
- ZOmbie — Russia - zloebuchij_zasrakomondohooy@usa.net 


- Darkman - Denmark darkman@sourceofkaos.com 


- roy g biv - iam_rgb@hotmail.com 


Sample Personal Photo of the Group's Founder - Benny 


Personally Identifiable Information for Benny: 


Personal Web Site: http://benny29a.cjb.net; http://benny29a.kgb.cz; 
http://www.benny29a.com 


Sample Personal Email: benny_29a@hushmail.com; benny@post.cz; 


benny _29a@privacyx.com 
Related personal Web sites: http://benny.bloguje.cz; http://benny.hysteria.cz 
ICQ — 123122556; 156892790; UnderNet.Org server, #vir, #virus, #vxers channels 


Related personal Web sites for 29A Group Members: 
- Alcopaul/[rRIf] http://alcopaul.cjb.net; alcopaul@cannabismail.com 
- Benny/29A http://www.coderz.net/benny; benny@post.cz 


- Mental Driller/29A mental _driller@notrix.net; mental_driller@psynet.net; 
mental _driller@hotmail.com 


- philetOast3r/[rRIf] http://www.rRIf.de philetOast3r@rRIf.de PhileTOast3r@gmx.de 


- ZeMacroKiller98 http://zemckiller98.multimania.com - http://membres.lycos.fr/zemckiller98 
zebulon@softel. fr 


- Vecna http://coderz.net/vecna 


- VirusBuster http://virustradingcenter.cjb.net 
- ZOMBIE http://zZOmbie.host.sk http://forumer.com/bsodomon 


- GriYo Spain griyo@hellsparty.com 


- Ratter Czech Republic ratter@atlas.cz 


- roy g biv iam_rgb@hotmail.com 


- VirusBuster Spain virusbuster@terra.es 


- Super super_29a@mixmail.com 
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Sample Social Network Analysis (SNA) of 29A Using Malteg 


1. Exposing Team Code Zero 


Related Zero for Owned Personal Domains and Web Sites: 


http://shOdan.org 


http://antilimit.net 


https://sinnerz.com 


https://codez.com 


Related Team Code Zero/Confidence Remains High Team Members: 
- solo 

- helix 

- XFli 

- modeX 

- Shok 

- zer0x 

- Spheroid 

Related Personal Web Sites belonging to Team Code Zero Members: 


http://www.aom.co.uk/total/ 


http://www.r0ot.org/crh/ 


http://www.rootshell.com 


http://insecurity.insecurity.org/codez/ 


Related personal emails belonging to Team Code Zero Members: 
- dk@crackhouse.com 

- dz@acheron.net 

- domains4sale@usa.net 


- zen@sekurity.org 


Related domains belonging to Team Code Zero Members: 


http://microsOft.paranoia.com 


http://codez.com 


Sample Domain Name Whois records: 


Domain Name: SINNERZ.COM 


Administrative Contact: 


Kimminau, Suzette (SK2455) evilchic@NWLINK.COM 


(206)454-7176 

Technical Contact, Zone Contact: 
Schmittel, Blair (BS469) blair@CYBER-NAUT.COM 
(801)654-3139 


Record last updated on 26-Mar-97. 
Record created on 26-Mar-97. 


Domain servers in listed order: 


STRECH.CYBER-NAUT.COM 192.41.77.5 
ITIS.EASILINK.COM 192.41.78.2 


Related personal Web sites belonging to Team Code Zero Members: 


http://el8.netgates.co.uk 


http://www.mastaz.org/codezero/ 


http://ulticonn.dyndns.com/codezero 
Related personal email belonging to Team Code Zero Members: 
Darkfool 


darkfool@pancreas.com 


Related personal Web sites belonging to Team Code Zero Members: 


http://insecurity.insecurity.org/codez/ 


http: //www.r0ot.or 
http: //www.exceed.net 
http://www.7thsphere.com/hpvac/hacking.html 


ftp://ftp.sekurity.org/users/solo 


Related personal Web sites of Team Code Zero Members: 


www.d-lab.com.ar/crh/ 


www.technotronic.com/ezines/crh/ 


http://cybrids.simplenet.com/Toast/files/CRH 


ftp. linuxwarez.com/pub/crh/ 


ftp.sekurity.org/users/solo 


Related personal Web sites belonging to Team Code Zero Members: 
http://www.d-lab.com.ar/sekret/warez 


http://www.d-lab.com.ar/mad/ 


http://www.d-lab,com.ar/crh 


Sample personal photos of Team Code Zero Members: 


Paty 
ARR 


Related Personal Home Pages of Prominent and Currently active Iranian Hackers 
and Web Site Defacement Groups: 


a74462.persiangig.com 
abbas-virus.persiangig.com 
abdrezaha.persiangig.com 
adamforush.persiangig.com 
afee1.persiangig.com 
afgar753.persiangig.com 
afr-computer.persiangig.com 
afsaran-agrab.persiangig.com 
afshin111.persiangig.com 
agh45.persiangig.com 
ahwazdownload.persiangig.com 
akams.persiangig.com 
al0n3-m4n.persiangig.com 
albert.persiangig.com 
ali-danger.persiangig.com 
ali0123.persiangig.com 


ali486.persiangig.com 


aliclop.persiangig.com 
alierror1.persiangig.com 
alijojo.persiangig.com 
alipc1.persiangig.com 
alireza5800.persiangig.com 
alirezabiyal.persiangig.com 
alirezashiri.persiangig.com 
alirezaxxl.persiangig.com 
alisoft.persiangig.com 
alvlin.persiangig.com 
am-tools.persiangig.com 
amarok.persiangig.com 
amin77.persiangig.com 
aminsheikha.persiangig.com 
amir-666.persiangig.com 
amir-pw.persiangig.com 
amir23.persiangig.com 
amirhossein021.persiangig.com 
amirjustfriend.persiangig.com 
amirmansoury.persiangig.com 
amirsalartavakoli.persiangig.com 
amolhackers.persiangig.com 
anatema.persiangig.com 
anax2x.persiangig.com 
androidpoor.persiangig.com 
anonyr3z4.persiangig.com 
anti-network.persiangig.com 
antichat.persiangig.com 
antifilterby4ull-hacker.ht 
anzalichi.persiangig.com 


apexpredator.persiangig.com 


applexxe.persiangig.com 
aragh.persiangig.com 
arazdownloadpg.persiangig.com 
arefmaramazi.persiangig.com 
aria-security.persiangig.com 
arianismmm.persiangig.com 
ario-barzan.persiangig.com 
arman98.persiangig.com 
armaninvisible.persiangig.com 
armingame.persiangig.com 
armintanha.persiangig.com 
artenis.persiangig.com 
arvineasthackers.persiangig.com 
ashitor.persiangig.com 
ashkanan3.persiangig.com 
asm952.persiangig.com 
atrix.persiangig.com 
attack.persiangig.com 
avadakedavra.persiangig.com 
aware.persiangig.com 
b-i-o-s.persiangig.com 
b3ylux3.persiangig.com 
bachebahal.persiangig.com 
badjen3.persiangig.com 
bahman666.persiangig.com 
bamiran.persiangig.com 
bardiajoon.persiangig.com 
barnamehnevesy.persiangig.com 
beat20.persiangig.com 
behfaraz.persiangig.com 


behzadmesri.persiangig.com 


best-gold.persiangig.com 
bestbset.persiangig.com 
bia2bestfile.persiangig.com 
bia2music2.persiangig.com 
bia2saadi.persiangig.com 
bia2takmusic.persiangig.com 
big-killer.persiangig.com 
bigb4ng.persiangig.com 
bijism.persiangig.com 
bimbim.persiangig.com 
biologystudentshirazu.persiangig.com 
black-shadow.persiangig.com 
blackcap.persiangig.com 
blackdata.persiangig.com 
blackfox.persiangig.com 
blackh4t.persiangig.com 
blacklast.persiangig.com 
blackportal.persiangig.com 
blackwizardmagician.persiangig.com 
blogskin.persiangig.com 
bm98511.persiangig.com 
bo0o0o0ote.persiangig.com 
boromir.persiangig.com 
boxochi.persiangig.com 
brainbOy.persiangig.com 
bulurp.persiangig.com 
cOder1.persiangig.com 
catcOnfig.persiangig.com 
ceh2010.persiangig.com 
cenator-vb.persiangig.com 


chater.persiangig.com 


ciph3r.persiangig.com 
civilz.persiangig.com 
codez.persiangig.com 
coldfire.persiangig.com 
coldn.persiangig.com 
comonism.persiangig.com 
computer-lab2.persiangig.com 
cover-weblog.persiangig.com 
cr4ck3r.persiangig.com 
cr4zylov3r.persiangig.com 
craft.persiangig.com 
crim3r.persiangig.com 
csundragon.persiangig.com 
cyberboys.persiangig.com 
cyberdevilz.persiangig.com 
cybersaboteur.persiangig.com 
d3f4c3r.persiangig.com 
d3structlv3.persiangig.com 
d4rvi5hi.persiangig.com 
d4wood.persiangig.com 
dad4mahan.persiangig.com 
daimon7/4.persiangig.com 
dangerman.persiangig.com 
dangerous-hacker.persiangig.com 
darkcoder.persiangig.com 
darkhastdotnet.persiangig.com 
darkhastdotnet2.persiangig.com 
darknessxxl.persiangig.com 
darkunder.persiangig.com 
darkwitch.persiangig.com 


datacoders.persiangig.com 


datairan.persiangig.com 
datawar.persiangig.com 
deface.persiangig.com 
defaced.persiangig.com 
delsa.persiangig.com 
delta-hacker.persiangig.com 
destroyerh3ll.persiangig.com 
devilzcOder.persiangig.com 
diagramm.persiangig.com 
dialup-download.persiangig.com 
diazpame10.persiangig.com 
diedloves.persiangig.com 
dli-security-network.persiangig.com 
dl4-downloadfa.persiangig.com 
dorsaazari.persiangig.com 
dostetdarammaa.persiangig.com 
dotaallstars.persiangig.com 
downloadestan5.persiangig.com 
dr-h4ck3r.persiangig.com 
dr-root.persiangig.com 
drduger.persiangig.com 
drmaster.persiangig.com 
drwxrwxrwx.persiangig.com 
dwast.persiangig.com 
e3mail.persiangig.com 
ehsan-empire.persiangig.com 
ehsan6206.persiangig.com 
ehsanmae.persiangig.com 
ekrami01.persiangig.com 
ekrami10.persiangig.com 


ekrami3.persiangig.com 


elyarz.persiangig.com 
enc0d3r.persiangig.com 
encoder.persiangig.com 
engineer-sniper.persiangig.com 
erfanx2x.persiangig.com 
erfxn.persiangig.com 
error-back-x9.persiangig.com 
esfahan-security.persiangig.com 
eshraq.persiangig.com 
esmaeilpoor.persiangig.com 
esmailapps.persiangig.com 
esoft.persiangig.com 
essaji.persiangig.com 
esshop.persiangig.com 
ettefaghi.persiangig.com 
evilshadow.persiangig.com 
eximor.persiangig.com 
ezami.persiangig.com 
far30tools.persiangig.com 
faraz4u.persiangig.com 
farbodezrael.persiangig.com 
farbodmahini.persiangig.com 
farhad242.persiangig.com 
faridmafia.persiangig.com 
fatalking.persiangig.com 
fazel-fbi.persiangig.com 
fazilamiry.persiangig.com 
fbbiyght76.persiangig.com 
fcbwin.persiangig.com 
fdownloadir.persiangig.com 


fghjjh.persiangig.com 


firebaxe.persiangig.com 
freelogo.persiangig.com 
frees.persiangig.com 
fulltarh.persiangig.com 
fun4ir.persiangig.com 
gOld-soft.persiangig.com 
g3n3rall-blackhat.persiangig.com 
galar2.persiangig.com 
galebsaz.persiangig.com 
game22009.persiangig.com 
gha3dak.persiangig.com 
ghalebkade.persiangig.com 
ghased2006.persiangig.com 
ghayegh-khali.persiangig.com 
gigmohsen.persiangig.com 
gikgik.persiangig.com 
gold-sOft.persiangig.com 
gold33.persiangig.com 
golpaboyz.persiangig.com 
goord.persiangig.com 
gorosneh.persiangig.com 
groupsyahoo.persiangig.com 
gta5edit.persiangig.com 
gtaimages.persiangig.com 
h-team.persiangig.com 
h3x73l.persiangig.com 
h3xbOyz.persiangig.com 
h4ck-tools.persiangig.com 
h4ckerr.persiangig.com 
h4med.persiangig.com 


hacker.persiangig.com 


hackeran99.persiangig.com 
hackerashiyane.blogfa.com 
hackreza.persiangig.com 
hadihadi.persiangig.com 
haftevigar1.persiangig.com 
hakaki.persiangig.com 
hakha.persiangig.com 
hali3eyyedh.persiangig.com 
ham3chi.persiangig.com 
haman313.persiangig.com 
hamed-qcc.persiangig.com 
hamedanno.persiangig.com 
hamedhaker.persiangig.com 
hamedweb.persiangig.com 
hamid-xsky.persiangig.com 
hamidsari.persiangig.com 
hamidsos3.persiangig.com 
hamidvirusi.persiangig.com 
hamidzip.persiangig.com 
hamix2x.persiangig.com 
hares.persiangig.com 
hashor.persiangig.com 
hck-tools.persiangig.com 
hcthemep.persiangig.com 
hdnsoft.persiangig.com 
heavenly-boys.persiangig.com 
hebou.persiangig.com 
hellgate1.persiangig.com 
hesam4u.persiangig.com 
hfarchive.persiangig.com 


hiacker.persiangig.com 


hiv0000.persiangig.com 
hivateam.persiangig.com 
hkhmerikhi.persiangig.com 
hkingsoftware.persiangig.com 
hogwartsschool.persiangig.com 
homanmh95.persiangig.com 
honey24.persiangig.com 
hoseeinO.persiangig.com 
hosinn.persiangig.com 
hotweb?24.persiangig.com 
hunterprogs.persiangig.com 
hushy.persiangig.com 
i3o0oter.persiangig.com 
ibhteam.persiangig.com 
iman2sh.persiangig.com 
immortal-boy.persiangig.com 
imperial2008.persiangig.com 
impossibles.persiangig.com 
impostor-76171.persiangig.com 
impostor.persiangig.com 
infohooman.persiangig.com 
infology2.persiangig.com 
infoweb.persiangig.com 
injenious.persiangig.com 
invisible.persiangig.com 
iqbala.persiangig.com 
ir2hak.persiangig.com 
iran-hacker.persiangig.com 
iran-pc.persiangig.com 
iran-pix.persiangig.com 


iran30download.persiangig.com 


iranexe.persiangig.com 
iraniancyber.persiangig.com 
iranmoon.persiangig.com 
irmessanger.persiangig.com 
irsdl.persiangig.com 
iscst.persiangig.com 
iseeu7.persiangig.com 
it-tab.persiangig.com 
jOOmj00me.persiangig.com 
jaber.persiangig.com 
jahanseir.persiangig.com 
jasoo30.persiangig.com 
jatropat.persiangig.com 
java-mesh.persiangig.com 
javananclub.persiangig.com 
jbvss.persiangig.com 
jenik2.persiangig.com 
jetvpn.persiangig.com 
jimunix.persiangig.com 
joker12.persiangig.com 
jshacker.persiangig.com 
jsut2dl.persiangig.com 
juventus2020.persiangig.com 
k0242.persiangig.com 
k4zem.persiangig.com 
kaave.persiangig.com 
kabooos.persiangig.com 
kapakha3.persiangig.com 
karaji21.persiangig.com 
karetbist.persiangig.com 


karim-psp.persiangig.com 


karim-sbs.persiangig.com 
katriana.persiangig.com 
kaveh0817.persiangig.com 
kaziiak.persiangig.com 
keent.persiangig.com 
keylogger.persiangig.com 
kh-co.persiangig.com 
khafanpatogh.persiangig.com 
khajavi0622.persiangig.com 
khan2.persiangig.com 
khashi.persiangig.com 
khl32.persiangig.com 
khosin.persiangig.com 
kiandew.persiangig.com 
kianescence.persiangig.com 
kiarashmm.persiangig.com 
kifabi.persiangig.com 
kingback.persiangig.com 
kingdeface.persiangig.com 
kingq8.persiangig.com 
kish110.persiangig.com 
kitten2.persiangig.com 
kohsalar.persiangig.com 
kolahsefid.persiangig.com 
kolx132.persiangig.com 
komil88.persiangig.com 
kookhneshinan.persiangig.com 
korosh-05.persiangig.com 
kovalak.persiangig.com 
krylack.ultimate.keylogger.pro 
lOrdOfh3il.persiangig.com 


I20odon.persiangig.com 
lahij.persiangig.com 
lalecarbon.persiangig.com 
Ibclive.persiangig.com 
li-tex11.persiangig.com 
lightwolf.persiangig.com 
liplipok.persiangig.com 
litoe.persiangig.com 
livesos.persiangig.com 
Inbmitnick.persiangig.com 
lord-pc.persiangig.com 
lordbooter.persiangig.com 
lordnitro.persiangig.com 
lourenzo.persiangig.com 
loveemperor.persiangig.com 
loving.persiangig.com 
m-nasr.persiangig.com 
m1998.persiangig.com 
m3hl2ad.persiangig.com 
m4hd1.persiangig.com 
m9macl.persiangig.com 
maarek.persiangig.com 
mahabad1.persiangig.com 
mahallatnews.persiangig.com 
mahallatonlinefiles.persiangig.com 
mahdii0.persiangig.com 
mahdi1575.persiangig.com 
mahdi45.persiangig.com 
mahdiheidari.persiangig.com 
mahdiizadi.persiangig.com 


mahdiniknam.persiangig.com 


majid-138.persiangig.com 
majid0919.persiangig.com 
majidshirazy.persiangig.com 
makan.persiangig.com 
mamadnopm.persiangig.com 
mamalinternet. persiangig.com 
mamd00.persiangig.com 
mammadcpu.persiangig.com 
manimaxi.persiangig.com 
marshal-doc.persiangig.com 
marvdasht.persiangig.com 
maryamsadeghi1372.persiangig.com 
masoud-70.persiangig.com 
masterdll.persiangig.com 
masterjoint.persiangig.com 
masterss.persiangig.com 
masuod-shift. persiangig.com 
matin-teror.persiangig.com 
matin021.persiangig.com 
maxpayne.persiangig.com 
mayanet.persiangig.com 
mazaghine.persiangig.com 
md-r00t.persiangig.com 
medl01.persiangig.com 
medrik1.persiangig.com 
mehd1.persiangig.com 
mehdi456.persiangig.com 
mehdibahadori.persiangig.com 
mehdioffflone.persiangig.com 
mehdy007.persiangig.com 


mehran4u.persiangig.com 


mellat.persiangig.com 
mhm5000.persiangig.com 
mihanp30.persiangig.com 
mihansystem.persiangig.com 
milad-gh.persiangig.com 
milad69.persiangig.com 
miladesfanji.persiangig.com 
milytexas.persiangig.com 
minasiyan.persiangig.com 
mintegaro.persiangig.com 
mionel.persiangig.com 
mj2008.persiangig.com 
mjbarbod.persiangig.com 
moghi.persiangig.com 
mohamadizadeh.persiangig.com 
mohamm3d.persiangig.com 
mohammad-ice.persiangig.com 
mohammad-safari696.persiangig.com 
mohammad912.persiangig.com 
mohammadbonvari.persiangig.com 
mohammadvaker.persiangig.com 
mohsen3800.persiangig.com 
mojinet.persiangig.com 
mojt3b3.persiangig.com 
mojtaba136.persiangig.com 
molex.persiangig.com 
moresecurity.persiangig.com 
mortalkombat.persiangig.com 
mortezahabibi.persiangig.com 
motakhases.persiangig.com 


movaffag.persiangig.com 


mp4all.persiangig.com 
mpk2119.persiangig.com 
mr-4nonymous.persiangig.com 
mr-bami.persiangig.com 
mr-parsi.persiangig.com 
mr-pass.persiangig.com 
mraria.persiangig.com 
mrdecoder.persiangig.com 
mrjack.persiangig.com 
mrnavid.persiangig.com 
mrpayne.persiangig.com 
msn-smith.persiangig.com 
mssql.persiangig.com 
msu-amozesh.persiangig.com 
msu360.persiangig.com 
mutemove.persiangig.com 
myways.persiangig.com 
n4bil.persiangig.com 
nanorayane.persiangig.com 
narmafzar28.persiangig.com 
naserjan.persiangig.com 
natars.persiangig.com 
navid-b-2012.persiangig.com 
nazanin.persiangig.com 
nefratbooter.persiangig.com 
nemesis-0131.persiangig.com 
neo-the-funny.persiangig.com 
networktools.persiangig.com 
newblack.persiangig.com 
nima3.persiangig.com 


nimetal.persiangig.com 


ninja-armin.persiangig.com 
nobOdy.persiangig.com 
nofacenoname.persiangig.com 
noktehaa.persiangig.com 
noofoz.persiangig.com 
noter.persiangig.com 
nova-team.persiangig.com 
omid-niazi.persiangig.com 
omid-pich.persiangig.com 
omid-shakh.persiangig.com 
omid69.persiangig.com 
onlineteach.persiangig.com 
only-amniat.persiangig.com 
onlykdk.persiangig.com 
optishock.persiangig.com 
orum-0441.persiangig.com 
oshamid.persiangig.com 
p-h-s-t.persiangig.com 
p30cloob.persiangig.com 
p30man2008.persiangig.com 
p30shopcenter.persiangig.com 
p35download.persiangig.com 
p40-10.persiangig.com 
pack-blogfa-com.persiangig.com 
padad.persiangig.com 
paeez2012.persiangig.com 
pakota1000.persiangig.com 
paksa1.persiangig.com 
panjsaher5.persiangig.com 
pantagon.persiangig.com 


papet.persiangig.com 


par30site.persiangig.com 
parandrayaneh.persiangig.com 
parazitwOrm.persiangig.com 
parsi.persiangig.com 
patoghma.persiangig.com 
payamjv.persiangig.com 
pejv4k.persiangig.com 
persian-defacer.persiangig.com 
persianbackyard.persiangig.com 
persianfurom.persiangig.com 
persianhw.persiangig.com 
persiantnt.persiangig.com 
peymanjahanbakhsh.persiangig.com 
pichpichak-speed.persiangig.com 
pick-sub-ir.persiangig.com 
pishiman.persiangig.com 
pkmax.persiangig.com 
planetworld.persiangig.com 
pmf0918.persiangig.com 
pnrbayati.persiangig.com 
pooyanse2.persiangig.com 
port80.persiangig.com 
pouya2006.persiangig.com 
powerdeactiver.persiangig.com 
prOgrammers.persiangig.com 
prime.persiangig.com 
prognet.persiangig.com 
programmers-9893.persiangig.com 
punisherr.persiangig.com 
pythonr00t.persiangig.com 


pzr23.persiangig.com 


quarenix.persiangig.com 
queen-iran.persiangig.com 
qwertyuiopasdfghjkl.persiangig.com 
r0zi33h.persiangig.com 
r3d-error.persiangig.com 
ramin-rock.persiangig.com 
raminO.persiangig.com 
raminmj18.persiangig.com 
raperhal.persiangig.com 
rashterror.persiangig.com 
ratohOst.persiangig.com 
ravager.persiangig.com 
ravanbakhsh.persiangig.com 
rayanmehr.persiangig.com 
raykagorgani.persiangig.com 
rebell.persiangig.com 
redoc.persiangig.com 
rexona-dl.persiangig.com 
reza-eblicen.persiangig.com 
rezabs.persiangig.com 
rgb4you.persiangig.com 
rking.persiangig.com 
rohullahalawi.persiangig.com 
rommy.persiangig.com 
rz04a.persiangig.com 
S-w-a-t.persiangig.com 
s3curity.persiangig.com 
s3v3n.persiangig.com 
saber74.persiangig.com 
saeedgraph.persiangig.com 


saeid70.persiangig.com 


sajjadkhafan.persiangig.com 
sakhi.persiangig.com 
samadzade.persiangig.com 
saman034.persiangig.com 
samiragol.persiangig.com 
samirdotnet.persiangig.com 
samiruk.persiangig.com 
sar4tan.persiangig.com 
sarani0718.persiangig.com 
sasukeakastuki.persiangig.com 
satan1.persiangig.com 
satanic.persiangig.com 
satanicboot.persiangig.com 
satanicstar.persiangig.com 
scorpion2.persiangig.com 
scriptplazza.persiangig.com 
security-team.persiangig.com 
sepidehdam.persiangig.com 
seyyedrasoul.persiangig.com 
sezar.persiangig.com 
sh3karchi.persiangig.com 
sh4dows-king.persiangig.com 
shahinfalcon.persiangig.com 
shamal.persiangig.com 
sheidaian.persianblog.ht 
sheikhoo.persiangig.com 
siamak17.persiangig.com 
sianOr.persiangig.com 
sidel32.persiangig.com 
sir4r4sh3rr0r.persiangig.com 


skOnter.persiangig.com 


slate. persiangig.com 
soa-team.persiangig.com 
softme.persiangig.com 
soltanhoseyn.persiangig.com 
someone.persiangig.com 
sonyeric.persiangig.com 
sootak.persiangig.com 
source-planet.persiangig.com 
spthapali.persiangig.com 
spyftp.persiangig.com 
spyn3t.persiangig.com 
srm-kabir.persiangig.com 
sun2rise.persiangig.com 
sunboy871.persiangig.com 
syndr0me.persiangig.com 
sysn3t.persiangig.com 
system2009.persiangig.com 
t-danlod.persiangig.com 
tabriz118.persiangig.com 
takfanar.persiangig.com 
takp30them4.persiangig.com 
tanhadarshab2.persiangig.com 
tanhaeshgh71.persiangig.com 
tanhastrife. persiangig.com 
tarfandrooz.persiangig.com 
temp-designer.persiangig.com 
terminator1.persiangig.com 
the-rock.persiangig.com 
themist.persiangig.com 
thr3at.persiangig.com 


timer.persiangig.com 


tink3r.persiangig.com 
tir3x-r00t.persiangig.com 
titaksecteam.persiangig.com 
titaniom1370.persiangig.com 
torbat-h.persiangig.com 
tornado20.persiangig.com 
trOyt34m.persiangig.com 
turkhackers.persiangig.com 
uh12uh12.persiangig.com 
under-world.persiangig.com 
unknOwn72.persiangig.com 
upload-ekrami.persiangig.com 
upload2020.persiangig.com 
upload4u.persiangig.com 
uploadh.persiangig.com 
uploadr.persiangig.com 
urmiatheme.persiangig.com 
V4hid.persiangig.com 
vahid-master.persiangig.com 
vahid4251.persiangig.com 
vahidsistem.persiangig.com 
vbmahdi2009.persiangig.com 
vhdmsm.persiangig.com 
vibox.persiangig.com 
virus45.persiangig.com 
wanted. persiangig.com 
wolf.persiangig.com 
wanted1.persiangig.com 
wantedst.persiangig.com 
web-pc-training.persiangig.com 


xsky.persiangig.com 


An image is worth a thousand words. 
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HACKED 
BY 
HACK3D TEAM 


HackIO Teall - MaSelirifaCk - ATP -The Godfattrer - 


We are 8 


EvilHack -> http://www.youtube.com/user/AnonymousEvilHack/about -> http://cyber-code.tk/ 
-> BG Cyber Army -> http://www.zone-h.org/archive/notifier=BulgarianYo20Cyber%20Army 
-> https://www.facebook.com/bgcyberarmy 

Bca-group.org - Email: bca-group@mail.ru 

BG Cyber Army - Cyber Root, Cyber King, iNCUBUS, JoKeR, MoonSpire 

- [Pa3pyxA, FuckOFF, CyberKing, CyberLord] 

CyberLord: cyberlordbg@mail.ru :: [OK] 

[+] CyberKing: z3roc00I|@mail.ru :: [OK] 

Pa3pyxA: ra3pyxa@mail.ru 

Anonymous BG's main forum URL: http://anonbg.info 

Group member handles: rootheR_, Hades, NoTolerance, EvilHack, PsychoPatternz. 
Forum postings for ID-ed member PsychoPatternz: http://anonbg.info/member.php?34- 
PsychoPatternz 

Forum postings for ID-ed member EvilHack: http://anonbg.info/member.php?13-EvilHack 
EvilHack's real name: Genadi 

Skype: genadi_97 

Skype: anonymous_evilhack 

City: Veliko Turnovo or Tutrakan 

Associated emails: 

clangrf@abv.bg 

genadi_100@abv.bg 

anonyops@abv.bg 

EvilHack@hmamail.com 

evilhackO00@gmail.com 

evilhack@bk.ru 

evil_hack@abv.bg 

URL he maintains: 

https://www.facebook.com/pages/EvilHack-Programs 
http://anonymous-world.free.bg/page-8.html 

http://web-dangerous.free.bg/page-9.html 

http://evilhack-official.blogspot.com/ 

http://www.podariavam.com/user/GenadiD 

PsychoPatternz's name: Asparuh Naydenov 

City:: Plovdiv 

Skype: asparuh1231 

URLs he maintains: 

http://psychopatternz.blogspot.com/ 

https://www.facebook.com/hakhz/timeline 

Facebook profile: 

https://www.facebook.com/Psychopatternz 

EvilHack appears to be also a member of a newly emerged group, namely, Bulgarian Cyber 
Army. 


Connection: EvilHack -> http://www.youtube.com/user/AnonymousEvilHack/about -> 
http://cyber-code.tk/ -> BG Cyber Army -> http://www.zone-h.org/archive/notifier=Bulgarian 
%20Cyber%20Army 

-> https://www.facebook.com/bgcyberarmy 

Official Web site: bca-group.org - Email: bca-group@mail.ru 

Related group emails: bca-group@bk.ru; adrenalinovocs@abv.bg 

Current members: Cyber Root, Cyber King, iNCUBUS, JoKeR, MoonSpire 
Ex-members: Pa3pyxA, FuckOFF, CyberKing, CyberLord 

Group members' associated emails: 

CyberLord - cyberlordbg@mail.ru 

CyberKing - z3roc00|@mail.ru 

Pa3pyxA - ra3pyxa@mail.ru 

Group's Name: Hack3D TeaM" or "MTH Soft 

Facebook: https://www.facebook.com/hack3dteam; 
https://www.facebook.com/bgworm.info 

Vimeo account: http://vimeo.com/user16145338/videos 

Forum: http://hakerstvo.informe.com/ 

Zone-H Archive: http://zone-h.org/archive/notifier=MaStErChO/page=1 

Hackdb Archive: http://www.hack-db.com/hacker/rOOtkit/all.html 

Google Plus Profile: https://plus.google.com/104878573752624522053/photos 
Group Members: r00tkit, MaStErChO AloneWolf, Sspdf1i, razora911, Metalqear 
Shout outs most commonly given to -- on the basis of multiple defaced 

page assessments --MaStErHaCk, - RTFM -The Godfather-(tm)(R) PanteliX (R)(tm) - 
(tm)W!PS(tm) - Tiger(tm) - Slackera - TraferA - 3ikmy - N3xOR. 

Known group domains' reconnaissance: 

hxxp://bgworm.com - Email: gudolik@gmail.com - name: "Mastercho 

Hoomie" same as the Google Plus account 

hxxp://bgworm.info - historical WHOIS emails: Email: nikolas¢7@abv.bg; 

Email: mahon-74@hotmail.com 

Group member profile: Anton Nikolaev (MaStErChO) 

Email: ludoto_93@abv.bg - email used from the forum's registration confirmation 
Secondary email: ludoto_93@hotmail.com - Reference: 
https://www.facebook.com/photo.php? 
fbid=327560933969442&set=a.325721410820061.74800.125466524178885&type=1 
Skype: ko.ti.puka 

Mobile: 0895373102 

Second Mobile: 0887565357 

Birth date: March 25, 1992 or 17 July, 1990 


Sample SNA (Social Network Analysis) of key participants in Bulgaria's virii writing 
and hacking scene throughout the 90's: 


Sample Technical Collection keywords in terms of Bulgaria's Durzhavna Sigurnost 
Technical and Scientific Intelligence involvement in Cold War espionage activities: 


eBAHKA EJIEKTPOHVKA 
ef3Y-AA 

eCynepanck -> Syquest 
eTura CropnmK 
eAHCUCT 

eMou6s1aH 

eAHKO 

eSetron - CeTpoH 
eCeTpnk 
eWVnTepTexHosOp>KNn 
eHuxoH MeANna 
eKennoK 

eflyKenic 

eEn Tu En 

eMeynnu3snH 

eWHCKCT xeHAeN 
eflevta MarHeTNKC 
eUkyan6u3n 

eEm 2>kn Enut xongquur 
ef\3Y KopnopenuibH 
eMloHT nepndeppic 
elura cropupK 
eBanTaM esnleKTpOHNK 


Sample personally identifiable information for Vasil Kolev a.k.a ManiaX: 
Personal Email: vasil@dobrich.net 

Personal Web Site: https://vasil.ludost.net 

Twitter account: https://twitter.com/krokodilerian 


Sample personally identifiable information for Jordan Dimov: 
Personal Email: jdimov@cigital.com 

Personal Email: jdimov@nsegcorp.com 

Personal Email: s3x3y1@gmail.com 

Personal Email: jdimov@a115.co.uk 

Personal Web site: http://jordan-dimov.com 

Sample LinkedIn account: https://uk.linkedin.com/in/jdimov 

Sample Twitter account: https://twitter.com/jdimov 

Google+ Account: https://plus.google.com/+JordanDimov/ 

Github account: https://github.com/a115 


Sample Bulgaria-themed Virii BBS services throughout the 90's: 


Virus Busters BBS 
Pooh BBS 

Tor_J BBS 

BBS Crash 
InnerSoft BBS 
SF&F BBS 
ToreNet BBS 
Virus Busters BBS 


Sample names of Bulgarian individuals known to have participated in Virii and 
Hacking and Phreaking groups: 


Winnie The PooH 
Darth Vader 
NEKO 

Assan Sharalan 
The Head 
Kenneth Zax 
Buggy KoSir 
TOSH 

Heavy Metal 
Miss Pritty Blond 
dr.Hack 

Doc Sharr 

The Red Rat 
white destroyer 


DX-2- 

PeshO 

De Head 

NEKO 

K.Zax 
BuggyKosir 
HHBeelzebub 
KickRashev 
DukeNinkassi 
DarkMessiah 
Grieg Gathlin 
Doctor Sharralan 
Red Rath 
BubbleBroom 
ConomoH-Bnaxbt 
MapTuH-OpKkbt 
The Creater 


Sample logo of Bulgaria's flagship Hacking/Phreaking/ Cracking E-zine Phreedom: 
Welcome to 
Pp r H/G/S PSA 
nreedqom 
: iss n 


Sample personal names of members of Bulgaria's flagship 
Hacking/Phreaking/Cracking E-zine group Phreedom: 


ManiaX, EXo, IronCode, Solar Eclipse, Star Gruhtar, kay, General Failure 


Sample personal names of members of Bulgaria's flagship 
Hacking/Phreaking/Cracking E-zine group Phreedom: 

AcTuKa, Al'oholic, Angel_K, Aquila10, Aryan, AtilaXak, Atilla King, Avatar, BADBOY, “Bad”, Bad 
Cluster, Bagerista, Balkana, be2to, Bebo, Beton, BigBoss, blurmind, BNN, Cama Casper, 
Chaikowsky, CHUSHKATA, |creep|, da Destroyer, Dark Doomer, Dark Lord, daNetizen, Defekt, 
darKmaster, DeathMan, Devil, Djoreto, DonBrasko, drJeckyll, Dragon, dusty, EDAC, Eggcho, 
Excessmind, Ezone, H@cK 3D, Fagin, Fox, FireBall, Fil FlyMan, Fufi, GinieG, GoodStuff, goro, 
Gotin, Goshino, gfury, HAHOHIHI, Humphree, Haz, Hitman, icho, Joal, JOJO, Joe_S, Joker, JJ, 
JonnyB, Joseph, JU140, K_MAN, |Kermit], killer, kiLoS, King, George X, KiroCobeto, kornfan, 
Lara, Lanc, Du Lac Lord, Slaytanic, LudGidia, Lukav, MaStEr_R, Master of Magic, METALISTA, 
Mef, Mefisto, Mega, Megakiller, Mentor, Mighty Magyar, Mitrandir, MITKOMAN, Mixx, Mill a.k.a 


Millenium, MMM, MUTANT, NIKON, Ngoro, NULL_PTR, Reket, RinBP, RPM6, Ones, OSLEPEN, 
OvenDelon, Overlord, Paff, Pif, PRENoMeN, Pfloyd, {PLEVEN}, PoweRG, PyMeH, S, Sanga, 
sandoc, Santah, Sauron Mordorski, sasko, Sel, ShadowBG, SIB, Simon, SKELEPHON, SK8, 
Sk8Boy, Slunchice, Smokie, SNOOpY%, sonicman, SongBird, Stalker a.k.a. Stoma, Stinger, 
SuperTed, TAEKWONDO, Tangra, Fanatic, Temiuki, Daykatana, TheForce, The Saint, ThugLife, 
Tobyman, TonicMan, Tuj-to, TYPYK, Ultra Violet, Undertake, VADER, VeS, VIGOUR, viadun, 
VoodoRush, WildThing, Xterna, Xtreme, _Zaphod_, Zheel, BadSector, bullet, Chaos Maker, 
Microphobic, CVM, CyberManiac, DD, Dephlector - dephlector@yahoo.com, Dr.Flip Fl0p, EXo, 
F2F, FlyMan, Fufi, General Filure, h4ck3r, Hackman-KKND, Hipodilsky, IronCode, javA, Kambo, 
Kevin, Kay, Kevin, KoRn, Kosio Spirov, ManiaX, RealEnder, Skelephon, Solar Eclipse, SPITE 
Master, Star Gruhtar, StereoMan, Tokata, VodooRush 


Sample Varna Hacking Group team members: 
CuMeOHoB 

{MANIAC} 

Maniac666 

moni 

schMatka - Email: schmatka@schmatka.org 

xdm 


Sample Varna Hacking Group personal information: 
Personal Web site: http://vhg.itgo.com/cni.html 

Personal Email: vhg_xakepu@usa.net 

Personal Email: webmaster@vhg.itgo.com 


Sample network-based reconnaissance: 
217.79.65.1 - router.schmatka.org 
217.79.65.2 - schmatka.org 


Personally identifiable information for Kosio Spirov primary author and founder of 
the Virus for You Bulgarian virii and hacking E-zine: 


Email: kspirov@iname.com; kosio@bigfoot.com, kosio@spirov.com, k.spirov@usa.net 
Address: 20 Tintyava Str., 1113 Sofia, Bulgaria 

Personal phone: +359 (2) 226361, 0889-777037 

ICQ - 5309053 

Birth date: July 09, 1973 

Facebook account: https://www.facebook.com/konstantin.spirov.3 

Personal Web Site: http://www.oocities.org/siliconvalley/peaks/9024/ 


Sample Bulgaria's Virus for You E-Zine contract information: 
Email: vfu@fun.hawaii.net 


Address: Hawaii Islands, PO Box 41 


Sample personally identifiable photos of Kosio Spirov one of the primary authors 
and founders of Bulgaria's Virus for You virii writing and hacking E-zine throughout 
the 90's: 


Sample personally identifiable information for Georgi Guninski: 
Personal Email: guninski@guninski.com 

Personal Email: gguninski@gmail.com 

Personal Web Site: http://www.guninski.com/ 

Personal Web Site: https://j.ludost.net/ 


Sample personally identifiable photos of Georgi Guninski: 


er 


Sample personally identifiable information for Daniel Kalchev a.k.a Kohntark: 
Twitter account: https://twitter.com/danielkalchev 
Sample personally identifiable photos of Daniel Kalchev a.k.a Kohntark: 


Profiling "Innovative Marketing" - The Flagship Malvertising and Scareware Distributor - Circa 


2008 - An OSINT Analysis 


Continuing the "FBI Most Wanted Cybercriminals" series I've decided to take a closer look 
at "Innovative Marketing" the primary malvertising and scareware distributor participating in 
several high-profile malvertising and scareware-serving campaigns circa 2008 including 
personally identifiable information on two of the main group operators - Shaileshkumar P. 
Jain and Bjorn Daniel Sundin with the idea to provide law enforcement and the U.S 
Intelligence community with the necessary information to track down and prosecute the gang 
behind these campaigns. 


|In this post I'll profile actionable intelligence on the 
infrastructure behind the "Innovative Marketing" malvertising and scareware distributor circa 
2008 including personally identifiable information on two of the key members of the gang. 


Known "Innovative Marketing" alternative brand names and related associates: 
Billingnow 

BillPlanet PTE Ltd. 

Globedat 

Innovative Marketing Ukraine 
Revenue Response 

Sunwell 

Synergy Software BV 

Winpayment 

Consultancy SPC 

Winsecure Solutions, 

Winsolutions FZ-LLC 

ByteHosting Internet Services, LLC 
Setupahost.net 


Known related campaigns and related brands launched by the same group: 
BurnAds 

UnigqAds 

Infyte 

NetMediaGroup 


ForceUp 


Related malicious and fraudulent domains known to have participated in the 
campaign: 
hxxp://ad2cash.net 
hxxp://adtraff.com 
hxxp://adzyclon.com 
hxxp://bestadmedia.com 
hxxp://bestsearchnet.com 
hxxp://bucksbill.com 
hxxp://burnads.com 
hxxp://casinoaceking.com 
hxxp://cryptdrive.com 
hxxp://fileprotector.com 
hxxp://forceup.com 
hxxp://freetvnow.net 
hxxp://fulsearch.com 
hxxp://getfreecar.com 
hxxp://greyhathosting.com 


Related malicious and fraudulent domains known to have participated in the 
campaign: 
hxxp://installprovider.com 
hxxp://libresystm.com 
hxxp://magicsearcher.com 
hxxp://moneypalacecash.com 
hxxp://myhealth-life.org 
hxxp://myonlinefinance.com 
hxxp://netmediagroup.net 
hxxp://netturbopro.com 
hxxp://newbieadguide.com 
hxxp://pcsupercharger.com 
hxxp://popsmedia.com 
hxxp://popupnukerpro.com 
hxxp://prizesforyou.com 
hxxp://searchcolours.com 


hxxp://searchoperation.com 
hxxp://sellmoresoft.net 
hxxp://sellmysoft.net 
hxxp://sharpadverts.com 
hxxp://softwcs.com 
hxxp://tallgrass-seach.com 
hxxp://theringtonesource.com 
hxxp://traffalo.com 
hxxp://unicsearch.com 
hxxp://uniqads.com 
hxxp://vitecmedia.com 
hxxp://wewillfind.com 
hxxp://windefender.com 
hxxp://workhomecenter.com 
hxxp://yourseeker.com 
hxxp://yourteacheronline.com 
hxxp://zappinads.com 


Related scareware products known to have been sold and distributed by 
"Innovative Marketing": 
SpyGuarder 

Spykiller Pro 

Spyware Sweeper 
Spywarelsolator 
SwiftCleaner 
SystemDoctor 
SystemErrorFixer 
SystemSweeper 
TotalAntivirus 

Trasheraser 
Trustedprotecion 
UltimateCleaner 
VirusRemover 2008 
WinAntiSpyware 
WinAntiVirusPro 
WinBugFixer 


WinDefender2008 
WinFixer 
Winsecureav 
WinSpyware Protect 
WinxDefender 
XLifeGuarder 

XP AntiSpyware 2009 
XP AntiVirus 


Related domains known to have participated in the campaign: 
hxxp://acchiappavirus.com 
hxxp://adiosvirus.com 
hxxp://ahorrememoria.com 
hxxp://altalimpeza.com 
hxxp://anonimutente.com 
hxxp://ad2cash.net 
hxxp://ad2profit.com 
hxxp://adcomatoz.com 
hxxp://adgurman.com 
hxxp://adhokuspokus.com 
hxxp://adnetserver.com 
hxxp://ad2profit.com 
hxxp://adcomatoz.com 
hxxp://adgurman.com 
hxxp://adhokuspokus.com 
hxxp://adnetserver.com 
hxxp://adredired.com 
hxxp://adsolutio.com 
hxxp://adtraff.com 
hxxp://adverdaemon.com 
hxxp://adverlounge.com 
hxxp://adzyclon.com 
hxxp://adredired.com 
hxxp://adsolutio.com 
hxxp://adtraff.com 
hxxp://adverdaemon.com 


hxxp://adverlounge.com 
hxxp://adzyclon.com 
hxxp://alg-search.com 
hxxp://alhoster.com 
hxxp://aligarx. biz 
hxxp://all-search-it.com 
hxxp://alphatown.us 
hxxp://anmira.info 
hxxp://anonymbrowser.com 
hxxp://antivirussecuritypro.com 
hxxp://aptprog.com 
hxxp://art-earn.biz 
hxxp://astalaprofit.com 
hxxp://antiamenazas.com 
hxxp://antiespiamaestro.com 
hxxp://antievidence.com 
hxxp://antispionimaestro.com 
hxxp://antispywareconductor.com 
hxxp://antispywarecontrol.com 
hxxp://antispywaremaster.com 
hxxp://antispywaremeister.com 
hxxp://antivirusfiable.com 
hxxp://antivirusforall.com 
hxxp://antivirusforalla.com 
hxxp://antivirusforalle.com 
hxxp://antivirusfueralle.com 
hxxp://antivirusgenial.com 
hxxp://antivirusmagique.com 
hxxp://antivirusparatodos.com 
hxxp://anzentsuru.com 
hxxp://apagahistorico.com 
hxxp://apolloantivirus.com 
hxxp://antivirussecuritypro.com 
hxxp://astalaprofit.com 
hxxp://b2adz.com 
hxxp://bestadmedia.com 


hxxp://bestpharmacydeals.com 
hxxp://archivosenestado.com 
hxxp://atemaiserro.com 
hxxp://atrapavirus.com 
hxxp://aucunchoixpourvirus.com 
hxxp://aucunefaute.com 
hxxp://aucuninfection.com 
hxxp://aucunmenace.com 
hxxp://aucunserreurs.com 
hxxp://avcompleto.com 
hxxp://autodealer-search.com 
hxxp://b2adz.com 
hxxp://bazaard.com 
hxxp://belkran.com 
hxxp://belshar.com 
hxxp://bestadmedia.com 
hxxp://avsecurityplus.com 
hxxp://avseguro.com 
hxxp://bandoaivirus.com 
hxxp://bandoalleinfezioni.com 
hxxp://barreraintegral.com 
hxxp://bastioneantivirus.com 
hxxp://beskyttelseonline.com 
hxxp://beskyttendevaerktoj.com 
hxxp://bestsellerantivirus.com 
hxxp://best-biznes.info 
hxxp://best-cools.info 
hxxp://bestdatafinder.com 
hxxp://besteversearch.com 
hxxp://bestpharmacydeals.com 
hxxp://best-screensavers. biz 
hxxp://bestsearchnet.com 
hxxp://bestshopz.com 
hxxp://bestsearchnet.com 
hxxp://bestshopz.com 
hxxp://bestwnvmovies.com 


hxxp://bizadverts.com 
hxxp://bizmarketads.com 
hxxp://bestwm.info 
hxxp://bestwnvmovies.com 
hxxp://bezzz.info 
hxxp://bi-bi-search.com 
hxxp://bizadverts.com 
hxxp://bizmarketads.com 
hxxp://blessedads.com 
hxxp://bm-redy.com 
hxxp://bovavi.com 
hxxp://brandmarketads.com 
hxxp://blanchdisc.com 
hxxp://borresuspasos.com 
hxxp://bossedeserreurs.com 
hxxp://brossedesfautes.com 
hxxp://bugseraser.com 
hxxp://blessedads.com 
hxxp://brandmarketads.com 
hxxp://bucksinsoft.com 
hxxp://burnads.com 
hxxp://cancerno.com 
hxxp://bucksinsoft.com 
hxxp://burnads.com 
hxxp://cancerno.com 
hxxp://candid-search.com 
hxxp://carpropane.com 
hxxp://caiforavirus.com 
hxxp://ceroamenazas.com 
hxxp://cerovirus.com 
hxxp://chasseurdeserreures.com 
hxxp://cleanerpotente.com 
hxxp://cashloanprofit.com 
hxxp://casinoaceking.com 
hxxp://casinodealsgalore.com 
hxxp://cheap-auto-deals.com 


hxxp://cashloanprofit.com 
hxxp://casinoaceking.com 
hxxp://casinoby.com 
hxxp://casinodealsgalore.com 
hxxp://cleanpctool.com 
hxxp://cleanuptool.com 
hxxp://confidentsurf.com 
hxxp://confidentuser.com 
hxxp://contenidoseguros.com 
hxxp://clubheat.info 
hxxp://come-from-stars.com 
hxxp://co-search.com 
hxxp://creamme.net 
hxxp://cryptdrive.com 
hxxp://contenteraser.com 
hxxp://controledemenaces.com 
hxxp://controlloreprivacy.com 
hxxp://curerrores.com 
hxxp://cyndyk.info 
hxxp://deuscleanerpay.com 
hxxp://didosearch.com 
hxxp://diphelp.biz 
hxxp://dmitry-v.info 
hxxp://doma2000.com 
hxxp://dataconfidentiality.com 
hxxp://defensaantivirus.com 
hxxp://defensecelebre.com 
hxxp://defensededriver.com 
hxxp://defensedinformation.com 
hxxp://defensedudisque.com 
hxxp://defensenetsurfage.com 
hxxp://defensivesystem.com 
hxxp://dejitarufukugen.com 
hxxp://dejitarukyoikira.com 
hxxp://dejitaruwakuchin.com 
hxxp://detapurotekuta.com 


hxxp://detaripea.com 
hxxp://detectaerrores.com 
hxxp://discoseguro.com 
hxxp://diskassistent.com 
hxxp://diskretter.com 
hxxp://disksaeuberung.com 
hxxp://disksizesaver.com 
hxxp://disksparare.com 
hxxp://disukushuri.com 
hxxp://doubledefender.com 
hxxp://driversecurise.com 
hxxp://einwandfreierpc.com 
hxxp://eliminadordeamenazas.com 
hxxp://elmejorantivirus.com 
hxxp://durtsev.com 
hxxp://easybestdeals.com 
hxxp://energostroj.com 
hxxp://enothost.com 
hxxp://eroticabsolute.com 
hxxp://emperahogo.com 
hxxp://enmiendaerrores.com 
hxxp://equipoantiespia.com 
hxxp://eracheisa.com 
hxxp://erasutoppu.com 
hxxp://erreurchasseur.com 
hxxp://errorfighter.com 
hxxp://essentialeraser.com 
hxxp://expertdantispyware.com 
hxxp://errordigger.com 
hxxp://errorinspector.com 
hxxp://evrogame.info 
hxxp://fandasearch.com 
hxxp://fantazybill.com 
hxxp://exterminadordevirus.com 
hxxp://extremuclean.com 
hxxp://fairukyua.com 


hxxp://feilvakt.com 
hxxp://fejlfripc.com 
hxxp://fantazybill.com 
hxxp://favouriteshop.com 
hxxp://fileprotector.com 
hxxp://forceup.com 
hxxp://freepcsecure.com 
hxxp://fastwm.info 
hxxp://fastzetup.info 
hxxp://fati-gati-search.com 
hxxp://favourable-search.com 
hxxp://favouriteshop.com 
hxxp://feel-search.com 
hxxp://f-host.net 
hxxp://fifaallchamp.com 
hxxp://fight-arts.com 
hxxp://fejlreparering.com 
hxxp://felfixare.com 
hxxp://ferramentadesolucao.com 
hxxp://ferramentasegura.com 
hxxp://festplattencleaner.com 
hxxp://festplattentool.com 
hxxp://fiksdinpc.com 
hxxp://filtredetraces.com 
hxxp://filtrototal.com 
hxxp://fileprotector.com 
hxxp://findbyall.com 
hxxp://firstbestsearch.com 
hxxp://firstlastsearch.com 
hxxp://first-ts.com 
hxxp://fixthemnow.com 
hxxp://fjernervirus.com 
hxxp://foutenwacht.com 
hxxp://geheugenredder.com 
hxxp://foamplastic.net 
hxxp://fokus-search.com 


hxxp://force-search.com 
hxxp://forceup.com 
hxxp://forex-instruments.info 
hxxp://forceup.com 
hxxp://forvatormail.com 
hxxp://freepcsecure.com 
hxxp://freerepair.org 
hxxp://freetvnow.net 
hxxp://friedads.com 
hxxp://freetvnow.net 
hxxp://friedads.com 
hxxp://getfreecar.com 
hxxp://glorymarkets.com 
hxxp://great4mac.com 
hxxp://greyhathosting.com 
hxxp://fulsearch.com 
hxxp://getfreecar.com 
hxxp://gibdd.us 
hxxp://glass-search.com 
hxxp://glorymarkets.com 
hxxp://gosthost.net 
hxxp://great4mac.com 
hxxp://greyhathosting.com 
hxxp://gt-search.com 
hxxp://hackerpro.us 
hxxp://hardlinecenter.com 
hxxp://guardiandelaprivacidad.com 
hxxp://guardianodelpc.com 
hxxp://gubbishremover.com 
hxxp://hackerstaisaku.com 
hxxp://hadodoraibugado.com 
hxxp://harddriveguard.com 
hxxp://herramientasegura.com 
hxxp://historialout.com 
hxxp://hebooks-service.com 
hxxp://iddqdmarketing.com 


hxxp://infyte.com 
hxxp://installprovider.com 
hxxp://hebooks-service.com 
hxxp://hintway-international.com 
hxxp://homeofsite.com 
hxxp://hromeos.com 
hxxp://hyip2all.org 
hxxp://hotbevakning.com 
hxxp://ingavirus.com 
hxxp://ingenmulighetforvirus.com 
hxxp://inhaltsaeuberung.com 
hxxp://icq-lot.org 
hxxp://iddqdmarketing.com 
hxxp://ideal-search.com 
hxxp://idea-rem.com 
hxxp://i-forexbank. biz 
hxxp://infyte.com 
hxxp://inhaltspeicher.com 
hxxp://inmunepc.com 
hxxp://kakujitsutsuru.com 
hxxp://keinespurenlassen.com 
hxxp://keineviren.com 
hxxp://initial-search.com 
hxxp://insochi2014.com 
hxxp://installprovider.com 
hxxp://internetadaultfriend.com 
hxxp://internetadaultfriend.com 
hxxp://internetanonymizer.com 
hxxp://intervarioclick.com 
hxxp://invulnerableads.com 
hxxp://internetanonymizer.com 
hxxp://internetsupernanny.com 
hxxp://intervarioclick.com 
hxxp://investmentsgroup.org 
hxxp://invulnerableads.com 
hxxp://it-translation. biz 


hxxp://izol-tech.com 
hxxp://kamerton-tests.com 
hxxp://kazilkasearch.com 
hxxp://keytooday.com 
hxxp://keywordcpv.com 
hxxp://kiridi.net 
hxxp://kpoba.net 
hxxp://kurgan45.info 
hxxp://keywordcpv.com 
hxxp://libresystm.com 
hxxp://luckyadcoin.com 
hxxp://luckyadsols.com 
hxxp://magicsearcher.com 
hxxp://knowhowprotection.com 
hxxp://konsekiauto.com 
hxxp://kontentsufiruta.com 
hxxp://kurinkonseki.com 
hxxp://kyoiireza.com 
hxxp://kyoikanshi.com 
hxxp://kyoryokucleaner.com 
hxxp://largavidapc.com 
hxxp://laufwerkcleaner.com 
hxxp://limpiapc.com 
hxxp://ladadc.com 
hxxp://lanastyle.com 
hxxp://Idizain.info 
hxxp://libresystm.com 
hxxp://liders. biz 
hxxp://linii.net 
hxxp://prevedmarketing 
hxxp://malware-scan.com 
hxxp://limpietodo.com 
hxxp://lomejorenantivirus.com 
hxxp://longlifepc.com 
hxxp://lungavitapc.com 
hxxp://maechtigerreiniger.com 


hxxp://liveclix.net 
hxxp://loffersearch.com 
hxxp://londasearch.com 
hxxp://lovecraft-forum.net 
hxxp://loveopen.info 
hxxp://lseom. biz 
hxxp://luckyadcoin.com 
hxxp://luckyadsols.com 
hxxp://mad-search.com 
hxxp://magicsearcher.com 
hxxp://mailcap.info 
hxxp://manage-search.com 
hxxp://marketingdungeon.com 
hxxp://mass-send.com 
hxxp://max-expo.net 
hxxp://malwareschutz.com 
hxxp://manutencaopc.com 
hxxp://memorisebu.com 
hxxp://menacecontrole.com 
hxxp://menacefighter.com 
hxxp://maxyanoff.com 
hxxp://mediatornado.com 
hxxp://mega-project. biz 
hxxp://megashopcity.com 
hxxp://mightyfaq.com 
hxxp://menacemonitor.com 
hxxp://menacescrubber.com 
hxxp://menacesprotection.com 
hxxp://miavcompleto.com 
hxxp://mightycleaner.com 
hxxp://minnesparere.com 
hxxp://monitordeamenazas.com 
hxxp://moteurpcpro.com 
hxxp://moneypalacecash.com 
hxxp://mounthost.net 
hxxp://myfavouritesearch.com 


hxxp://myhealth-life.org 
hxxp://mycontentassistant.com 
hxxp://netsurfageassure.com 
hxxp://nettoyeurdepc.com 
hxxp://nettoyeurdeserreures.com 
hxxp://myfavouritesearch.com 
hxxp://myhealth-life.org 
hxxp://myonlinefinance.com 
hxxp://mysurvey4u.com 
hxxp://myonlinefinance.com 
hxxp://mysurvey4u.com 
hxxp://mythmarketing.com 
hxxp://mytravelgeek.com 
hxxp://mythmarketing.com 
hxxp://mytravelgeek.com 
hxxp://netmediagroup.net 
hxxp://netturbopro.com 
hxxp://onestopshopz.com 
hxxp://myusefulsearch.com 
hxxp://napol.net 
hxxp://navygante.com 
hxxp://netmediagroup.net 
hxxp://netturbopro.com 
hxxp://netmediagroup.net 
hxxp://nettoyeurdevirus.com 
hxxp://nettoyeurpuissant.com 
hxxp://neuerantivirus.com 
hxxp://neuerschild.com 
hxxp://newbieadguide.com 
hxxp://nryb.com 
hxxp://of-by.info 
hxxp://olgalml.com 
hxxp://ol-search.com 
hxxp://onedaysoft.com 
hxxp://nientetracce.com 
hxxp://nouvelantivirus.com 


hxxp://nurdeinpc.com 
hxxp://ohnespurensurfen.com 
hxxp://omelhorantivirus.com 
hxxp://onlinehelpmate.com 
hxxp://onlineverktyg.com 
hxxp://onrainpurotekuta.com 
hxxp://onestopshopz.com 
hxxp://onwey.com 
hxxp://opensols.com 
hxxp://original-search.com 
hxxp://osetua.com 
hxxp://osminog.org 
hxxp://opensols.com 
hxxp://pcsoftw.com 
hxxp://pcsupercharger.com 
hxxp://popadprovider.com 
hxxp://popsmedia.com 
hxxp://ordureffaceur.com 
hxxp://oruripea.com 
hxxp://pasderreurs.com 
hxxp://pasdesfautes.com 
hxxp://pasdesmenaces.com 
hxxp://parischat.org 
hxxp://passwordinspector.com 
hxxp://pcsoftw.com 
hxxp://pcsupercharger.com 
hxxp://pasendommagement.com 
hxxp://pasplusdespertes.com 
hxxp://pasplusdevirus.com 
hxxp://pcantiviruspro.com 
hxxp://pcassertor.com 
hxxp://pcbewaker.com 
hxxp://pcboosterpro.com 
hxxp://pcbunan.com 
hxxp://pceternel.com 
hxxp://pcforfender.com 


hxxp://pchealthkeeper.com 
hxxp://pchjaelper.com 
hxxp://pcinforedder.com 
hxxp://pclibredevirus.com 
hxxp://pcohnespuren.com 
hxxp://pcredskab.com 
hxxp://pcsansbug.com 
hxxp://pcsecuresystem.com 
hxxp://pcsecurise.com 
hxxp://pcsentineru.com 
hxxp://pcsiemprenueva.com 
hxxp://pctoolpro.com 
hxxp://pcultralimpia.com 
hxxp://pcveiligheidstool.com 
hxxp://pcvirussweeper.com 
hxxp://perfektantivirus.com 
hxxp://personalityprotector.com 
hxxp://poseidonantivirus.com 
hxxp://poupememoria.com 
hxxp://performanceoptimizer.com 
hxxp://piramidki.com 
hxxp://podelkin.info 
hxxp://popadprovider.com 
hxxp://popsmedia.com 
hxxp://popupnukerpro.com 
hxxp://prenetsearch.com 
hxxp://prevedmarketing.com 
hxxp://prizesforyou.com 
hxxp://r2d2adverising.com 
hxxp://popupnukerpro.com 
hxxp://postcity.info, 
hxxp://prenetsearch.com, 
hxxp://prevedmarketing.com, 
hxxp://prizesforyou.com, 
hxxp://preservingtool.com 
hxxp://privacidadconductor.com 


hxxp://privacidadgarantizada.com 
hxxp://privacidadyseguridad.com 
hxxp://privacyredder.com 
hxxp://privacywaker.com 
hxxp://privacywarrior.com 
hxxp://privatsicherer.com 
hxxp://protecaoconfiavel.com 
hxxp://proteccionasegurada.com 
hxxp://proteccioncompleta.com 
hxxp://pro-dom.info 
hxxp://propotolok.info 
hxxp://pro-svet.info 
hxxp://r2d2adverising.com 
hxxp://radiosfera.net 
hxxp://proteccionimperial.com 
hxxp://protecteurdinfo.com 
hxxp://protectionassuree.com 
hxxp://protectionconue.com 
hxxp://protectiondedriver.com 
hxxp://protectiondenetsurfage.com 
hxxp://proteggidati.com 
hxxp://protezioneesperta.com 
hxxp://protezionefidata.com 
hxxp://pulituraestrema.com 
hxxp://puraibashihosho.com 
hxxp://puraibashimaneja.com 
hxxp://puraibashitoshinrai.com 
hxxp://rendimientototal.com 
hxxp://rensanu.com 
hxxp://reparaerrores.com 
hxxp://reparateurdesysteme.com 
hxxp://repareja.com 
hxxp://reparemenaces.com 
hxxp://repareya.com 
hxxp://rimuoviciarpame.com 
hxxp://riparaminacce.com 


hxxp://riparasubito.com 
hxxp://riservatezzanet.com 
hxxp://safeharddrive.com 
hxxp://safepctool.com 
hxxp://rocktheads.com 
hxxp://roller-search.com 
hxxp://rombic-search.com 
hxxp://searchcolours.com 
hxxp://sellmoresoft.com 
hxxp://rocktheads.com 
hxxp://roller-search.com 
hxxp://rombic-search.com 
hxxp://rus-invest.net 
hxxp://rusnets.info 
hxxp://russia-post.com 
hxxp://sajruen.info 
hxxp://samson-pro.com 
hxxp://sauni.net 
hxxp://se7ensearch.com 
hxxp://safudaijoubu.com 
hxxp://salvaspaziosudisco.com 
hxxp://sansendommagement.com 
hxxp://sansinfections.com 
hxxp://sayonarabaggu.com 
hxxp://schijfoewaker.com 
hxxp://schijfcontroleur.com 
hxxp://schijfredder.com 
hxxp://schijfruimteredder.com 
hxxp://schutzderdaten.com 
hxxp://schutzfuerpc.com 
hxxp://secretissimosoft.com 
hxxp://secretopertutti.com 
hxxp://secretosasalvo.com 
hxxp://secretoseguro.com 
hxxp://securepccleaner.com 
hxxp://sefunahimitsu.com 


hxxp://sekretessforsvarare.com 
hxxp://senzadoppioni.com 
hxxp://shingaidome.com 
hxxp://shinraihogo.com 
hxxp://selvascreensaver.com 
hxxp://sharpadverts.com 
hxxp://shivanetworking.com 
hxxp://shopshot.com 
hxxp://softwcs.com 
hxxp://shinraipafomansu.com 
hxxp://shisutemudifensu.com 
hxxp://sichererantivirus.com 
hxxp://sichererschutz.com 
hxxp://sicherheitstool.com 
hxxp://sikkerbrukere.com 
hxxp://sikkerpcredskap.com 
hxxp://sikkersystem.com 
hxxp://sinataques.com 
hxxp://sinrrastros.com 
hxxp://sinsenales.com 
hxxp://sistemaprotegido.com 
hxxp://sistemupyua.com 
hxxp://sisutemuantei.com 
hxxp://sisutemuorugurin.com 
hxxp://skyddsprogram.com 
hxxp://smittfri.com 
hxxp://solelunaantivirus.com 
hxxp://speichertool.com 
hxxp://spyguardpro.com 
hxxp://spywaretaisakumaster.com 
hxxp://stopbedreiging.com 
hxxp://stopminacce.com 
hxxp://spywareisolator 
hxxp://storageprotector.com 
hxxp://succesantivirus.com 
hxxp://superanonimo.com 


hxxp://surfforsure.com 
hxxp://surfremover.com 
hxxp://stratosearch.com 
hxxp://swiftcleaner.com 
hxxp://tallgrass-seach.com 
hxxp://traffalo.com 
hxxp://traveltray.com 
hxxp://sutoppuwirusu.com 
hxxp://syssauvegarde.com 
hxxp://systemerrorfixer.com 
hxxp://systemesansfaute.com 
hxxp://systemesansvirus.com 
hxxp://systemhoover.com 
hxxp://systemschild.com 
hxxp://tackanejvirus.com 
hxxp://tilforlatelig.com 
hxxp://toolsicuro.com 
hxxp://topsalgantivirus.com 
hxxp://trasheraser.com 
hxxp://trusselovervagning.com 
hxxp://trustedantivirus.com 
hxxp://trustedprotection.com 
hxxp://tryggpcverktyg.com 
hxxp://trygpcbruger.com 
hxxp://turnkeyantivirus.com 
hxxp://unidadessanas.com 
hxxp://usuarioprotegido.com 
hxxp://utiledereparation.com 
hxxp://vitecmedia.com 
hxxp://waytotheprofit.com 
hxxp://windefender.com 
hxxp://wontu-search.com 
hxxp://utilisateursur.com 
hxxp://vaktmotvirus.com 
hxxp://veiligheidsagent.com 
hxxp://virenvernichter.com 


hxxp://virusbekaemper.com 
hxxp://viruskrakker.com 
hxxp://virussperr.com 
hxxp://virusurimuva.com 
hxxp://virusvanger.com 
hxxp://virusvijand.com 
hxxp://volumformatredskap.com 
hxxp://wirusufinisshu.com 
hxxp://wirusuk.com 
hxxp://wirusukyua.com 
hxxp://aboutstat.net 
hxxp://freeorangestats.com 
hxxp://newstat.net 
hxxp://aboutstat.net 
hxxp://freeorangestats.com 
hxxp://getmosales.com 
hxxp://newstat.net 
hxxp://sexprofit.com 
hxxp://ad2cash.net 
hxxp://admiragroup.com 
hxxp://antispyexpert.com 
hxxp://antispyexpertpro.com 
hxxp://getmosales.com 
hxxp://malwarecrash.com 
hxxp://adtraff.com 
hxxp://bucksbill.com 
hxxp://burnads.com 
hxxp://forceup.com 
hxxp://freetvnow.com 
hxxp://getfreecar.com 
hxxp://adtraff.com 
hxxp://adzyclon.com 
hxxp://checkm8.com 
hxxp://adtraff.com 
hxxp://blessedads.com 
hxxp://prevedmarketing.com 


hxxp://checkm8.com 
hxxp://newbieadguide.com 
hxxp://blessedads.com 
hxxp://prevedmarketing.com 
hxxp://malwarecrashpro.com 
hxxp://bestadmedia.com 
hxxp://bestsearchnet.com 
hxxp://blessedads.com 
hxxp://bucksbill.com 
hxxp://burnads.com 
hxxp://burnads.com 
hxxp://casinoaceking.com 
hxxp://cryptdrive.com 
hxxp://newbieadguide.com 
hxxp://blessedads.com 
hxxp://prevedmarketing.com 
hxxp://fileprotector.com 
hxxp://forceup.com 
hxxp://forceup.com 
hxxp://freetvnow.net 
hxxp://fulsearch.com 
hxxp://games.biz 
hxxp://Imamis.net 
hxxp://Individ-search.com 
hxxp://Information-advertising.info 
hxxp://Infyte.com 
hxxp://getfreecar.com 
hxxp://greyhathosting.com 
hxxp://netmediagroup.net 
hxxp://netturbopro.com 
hxxp://newbieadguide.com 
hxxp://getfreecar.com 
hxxp://greyhathosting.com 
hxxp://netmediagroup.net 
hxxp://netturbopro.com 
hxxp://newbieadguide.com 


hxxp://greyhathosting.com 
hxxp://installprovider.com 
hxxp://libresystm.com 
hxxp://loffersearch.com 
hxxp://magicsearcher.com 
hxxp://malware-scan.com 
hxxp://manage-search.com 
hxxp://megashopcity.com 
hxxp://mightyfaq.com 
hxxp://misc-search.com 
hxxp://moneycometrue.com 
hxxp://moneypalacecash.com 
hxxp://myhealth-life.org 
hxxp://myonlinefinance.com 
hxxp://mysurvey4u.com 
hxxp://netmediagroup.net 
hxxp://netturbopro.com 
hxxp://newbieadguide.com 
hxxp://newstat.net 
hxxp://newbieadguide.com 
hxxp://blessedads.com 
hxxp://prevedmarketing.com 
hxxp://pcsupercharger.com 
hxxp://performanceoptimizer.com 
hxxp://popupnukerpro.com 
hxxp://prizesforyou.com 
hxxp://traffalo.com 
hxxp://uniqads.com 
hxxp://popadprovider.com 
hxxp://popsmedia.com 
hxxp://popupnukerpro.com 
hxxp://prevedmarketing.com 
hxxp://prevedmarketing.com 
hxxp://prizesforyou.com 
hxxp://proximogroup.com 
hxxp://adtraff.com 


hxxp://bucksbill.com 
hxxp://burnads.com 
hxxp://forceup.com 
hxxp://freetvnow.com 
hxxp://proximogroup.com 
hxxp://rocktheads.com 
hxxp://roller-search.com 
hxxp://rombic-search.com 
hxxp://se7ensearch.com 
hxxp://search-expand.com 
hxxp://search-the-prey.com 
hxxp://Cryptdrive.com 
hxxp://Deuscleanerpay.com 
hxxp://Easybestdeals.com 
hxxp://Eroticabsolute.com 
hxxp://Marketingdungeon.com 
hxxp://Mediatornado.com 
hxxp://Megashopcity.com 
hxxp://Mightyfaq.com 
hxxp://Mobilesoftmarketing.com 
hxxp://Moneycometrue.com 
hxxp://Moneypalacecash.com 
hxxp://Cheap-auto-deals.com 
hxxp://Checkstocklist.com 
hxxp://Chushok.com 
hxxp://Clever-at-search.com 
hxxp://Mobilesoftmarketing.com 
hxxp://Mobiletops.com 
hxxp://Mobilorg.org 
hxxp://Moneycometrue.com 
hxxp://searchcolours.com 
hxxp://searchmandrake.com 
hxxp://searchonline-ease.com 
hxxp://searchoperation.com 
hxxp://searchvirtuoso.com 
hxxp://sellmoresoft.net 


hxxp://sellmysoft.net 
hxxp://malware-scan.com 
hxxp://sharpadverts.com 
hxxp://shivanetworking.com 
hxxp://shivanetworking.com, 
hxxp://deuscleaneronline.com 
hxxp://shivanetworking.com 
hxxp://simplesamplesearch.com 
hxxp://soccernet 
hxxp://burnads.com, 
hxxp://adtech.de 
hxxp://blessedads.com, 
hxxp://performanceoptimizer.com 
hxxp://softwareprofit.com 
hxxp://softwcs.com 
hxxp://stratosearch.com 
hxxp://tallgrass-seach.com 
hxxp://theringtonesource.com 
hxxp://traffalo.com 
hxxp://traveltray.com 
hxxp://treekindsearch.com 
hxxp://unicsearch.com 
hxxp://uniqads.com 
hxxp://upg-soft.net 
hxxp://vitecmedia.com 
hxxp://wewillfind.com 
hxxp://win.com 
hxxp://windefender.com 
hxxp://workhomecentre.com 
hxxp://zappinads.com 
hxxp://windefender.com 
hxxp://wontu-search.com 
hxxp://workhomecenter.com 
hxxp://yourseeker.com 
hxxp://yourshopz.com 
hxxp://yourteacheronline.com 


hxxp://zappinads.com 
hxxp://zooworld-search.com 


Related domains known to have participated in the campaign: 
hxxp://adtraff.com — 190.15.73.254 

hxxp://forceup.com — 190.15.73.254 

hxxp://burnads.com — 190.15.73.254 

hxxp://blessedads.com — 190.15.73.254 

hxxp://prevedmarketing.com — 190.15.73.254 
hxxp://r2d2adverising.com — 190.15.73.254 
hxxp://shivanetworking.com — 190.15.73.254 


Continuing the "FBI Most Wanted Cybercriminals" series I've decided to continue providing 
actionable threat intelligence on some of the most prolific and wanted cybercriminals in the 
World through the distribution and dissemination of actionable intelligence regarding some of 
the most prolific and wanted cybercriminals. 


Following a series of high-profile Web site defacement and social media attack campaigns 
largely relying on the utilization of good-old-fashioned social engineering attack campaigns - it 
appears that the individuals behind the Syrian Electronic Army are now part of FBI's Most 
Wanted Cyber Watch List which means that I've decided to conduct an OSINT 

analysis further sharing actionable intelligence behind the group operators with the idea to 
assist law enforcement and the U.S Intelligence Community with the necessary data which 
could lead to a successful tracking down and prosecution of the team behind these campaigns. 


In this post I'll provide actionable intelligence on the group behind the Syrian Electronic Army 
including actionable intelligence on the infrastructure on some of their most prolific social 


engineering driven campaigns. 


Sample Personal Photo of Ahmad Al Agha: 


Sample Personal Photo of Firas Nur Al Din Dardar: 


Sample Web Site Defacement Screenshot courtesy of "The Shadow": 


Hacked By Ethical Dragee 
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Por more severity = dragenethicalifgmail.com 


Sample Screenshots of the Syrian Electronic Army Web Site Defacement Activity: 


aE 


3 
5 
Cy 
CI 
[) 
» 


Paar a NS itor mndeget he artabelp iiebtwr sf 


ORAS) eae miemence 
Or See Cet em oe 


ee ee) 


ch 


ma jars 


ag 


" 
; 


(AO IES 
sani 


1233223250831333 


persevere * perez 
bait 4% 


Related domains known to have participated in the campaign: 
hxxp://quatar-leaks.com 

hxxp://net23.net 

hxxp://secureids.washpost.net23.net 

hxxp://mail.hrw.net84.net 

hxxp://soul.websitewelcome.com 


hxxp://blog.conservatives.com/wp=content/uploads/cnn.php 
hxxp://ikhwansuez.net/cnn.php 

hxxp://klchr-pshr.com/bo.php 

hxxp://gloryshipsghana.com/wh.php 
hxxp://centriplant-dev.coreware.co.uk/wp-content/blogs.dir/ob.php 
hxxp://deliveryroutes.co.uk/ch.php 

hxxp://sws-schulen.de/gn.php 

hxxp://sws-schulen.de/ut.php 

hxxp://kulalars.com/jwt.php 

hxxp://karisdiscounts.com/nasa.php 


Related IPs known to have participated in the campaign: 
hxxp://91.144.20.76 
hxxp://194.58.88.156 
hxxp://88.212.209.102 
hxxp://141.105.64.37 
hxxp://213.178.227.152 
hxxp://82.137.248.2 
hxxp://82.137.200.5 
hxxp://94.252.249.94 
hxxp://5.149.101.187 
hxxp://82.137.248.3 
hxxp://76.73.101.180 
hxxp://82.137.248.3 
hxxp://81.137.248.4 
hxxp://82.137.248.5 
hxxp://82.137.248.6 
hxxp://91.144.18.219 
hxxp://178.52.134.163 
hxxp://78.46.142.27/~WH 
hxxp://78.46.142.27/~syrian 
hxxp://46.17.103.125 
hxxp://46.57.135.14 
hxxp://188.139.245.9 
hxxp://82.137.250.235 


Social Media Accounts: 
hxxp://twitter.com/Official_SEA 
hxxp://twitter.com/ThePro_Sy 
hxxp://instagram.com/official_sea3/ 
hxxp://pinterest.com/officialsea/ 
hxxp://www.facebook.com/sea.theshadow.716 


hxxp://linkedin.com/pub/th3pr0-sea 
hxxp://plus.google.com/116471187595315237633 
hxxp://flickr.com/photos/th3pr0 
hxxp://foursquare.com/user/29524714 


Skype account IDs known to have participated in the campaign: 
syria.Sec 

koteba63 

koteba 

sea.shadow3 

the.shadow21 

tiger.white20 

nana.saifo10 

nana.saifo 


Related emails known to have participated in the campaign: 
th3pr0123-ap2@gmail.com 
th3pr0123@gmail.com 
whitehouse-online@hotmail.com 
whitehouse_online@hotmail.com 
sea.the.shadow@gmail.com 
leakssyrianesorg@gmail.com 
leaks.syrianes.org@gmail.com 
syrian.es.sy@gmail.com 
syrianessy@gmail.com 
sea.wr4th@gmail.com 
prO@hotmail.nl 

sy@hotmail.com 
sy34@msn.com 
killboy-1994@hotmail.com 
jlO@hotmail.com 
cf3@hotmail.com 
zq9@msn.com 
doom.ceasar@gmail.com 
y8p@hotmail.com 
rqi@hotmail.com 
cf3@hotmail.com 
wassemkortab@yahoo.com 
sf0725zq0330@dressmall.com 
adam.magdissi@hotmail.com 
bf6@hotmail.es 
b-6f@hotmail.com 


bg_@hotmail.com 
asdelylord@hotmail.com 
i-8u@hotmail.com 
b-8q@hotmail.com 
tiger.tiger248@gmail.com 
nagham_saifo@hotmail.com 
edwinjouhansyah@gmail.com 
sea.coders@hotmail.com 


We'll continue monitoring the campaign and post updates as soon as new developments take 
place. 


Exposing Bulgaria's Largest Data Leak - An OSINT Analysis 


I've recently came across to a news article detailing the recently leaked Bulgaria NAP records 
database and I decided to take a closer look. What does this leak basically constitute? Basically 
the attacker managed to compromise the security of the Web Site basically leading to a 
successful extraction of a decent-portion of data which could basically constitute a leak. 


NOTE: The data in this analysis has been obtained using public sources. 


for aesistance in securing your web sorver 


Sand $508 in BRooln to “JExiLetorpRkBews4 SaRZIFXSIOXMIGFH oF forget about your Mes. 


In this post I'll profile a novice Bulgaria-based cybercriminal that basically managed to obtain 
access to the database and shared it within several cybercrime-friendly forum communities 
making it publicly accessible including an in-depth overview of TAD Group which is basically a 
Bulgaria-based penetration testing company. 


|Real Name: Daniel Ganchev - 


Email: daniel.ganchev@abv.bg 


Sample URL of the cybercriminal involved in the campaign: 
hxxp://instakilla.com/ - Email: wp@instakilla.com; info@instakilla.com 


Instagram Account: hxxp://www.instagram.com/instakilla_/ 


Bitcoin address used in the campaign: 3Ex6LeHorgRjkBmws4SsRZ3FXSJDXkK5FhP 


H 


Sample additional domain known to 


have been used by the same individual: hxxp://209.250.232.143 


Related URLs known to have participated in the campaign: 
https://instakilla.com/5k.txt 
https://instakilla.com/teaser.txt 


Sample Screenshot of the Original Letter Send to Journalists: 


Let's take a closer look at the Bulgaria-based TAD-Group is basically a well-known penetration 
testing company currently running Bulgaria's largest and most popular hacking forum 
community - hxxp://www.xakep.bg which was recently blamed for Bulgaria's largest 
database leak in particular its founders and several employees in the context of performing an 
OSINT analysis basically highlighting some of the key functions of the company and its 


involvement in the incident. 


Sample Company Logo: 


wuuw.tadgroup.com 


Sample Hacking Forum Logo: 


X Mer .3CG 


3Y 


Sample Exploits Developed courtesy of the founder of the group: 


Sample Photos of TAD Group Employees: 


Sample TAD Group Photos: 


Related personally identifiable information of TAD members: 
Real Name: Ivan Todorov 
Email: todorov_i@tadgroup.com; todorov_i@subway.bg 


Related social network accounts: 
hxxp://github.com/chapoblan 
hxxp://www.facebook.com/chapoblan/ 


Sample Bulgaria Leaked Database URL: 
hxxp://uploadfiles.io/sip3gzh8 


Sample Email known to have been used in the campaign: 
Email: minfin_leak@yandex.ru 


Sample MD5 known to have been used in the campaign: 
MD5: 3125f2f04d3bac84c418ceb321959aba 


It's also worth pointing out that I've managed to come across to a fraudulent proposition 
courtesy of the hxxp://www.xakep.bg cybercrime-friendly forum community with the 


cybercriminal behind it currently soliciting managed hacker-for-hire type of services. 


Sample screenshots courtesy of the service: 
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We'll be keeping an eye on the campaign and we'll post updates as soon as new 
developments take place. 


Remember my most recently published "Assessing The Computer Network Operation 
(CNO) Capabilities of the Islamic Republic of Iran - Report"? The report details and 
discusses in-depth the most prolific Iran-based government-sponsored and tolerated hacking 
groups including the following groups: 


- Ashiyane Digital Security Team 

- Iranhack Security Team 

- Iranian Datacoders Security Team 
- Iran Security Team a.k.a SEPANTA Team/Iran Cyber Army 2012/2013 
- IDH Security Team 

- Bastan Security Team 

- NOPO Digital Security Team 

- Shekaf Security Team 

- Mafia Hacking Team 

- Iran Black Hats Team 

- Delta Hacking Security Team 

- Digital Boys Underground Team 

- IrIst Security Team 


I recently came across to FBI's Most Wanted Cybercriminals List and decided to elaborate 
more by providing actionable Threat Intelligence on some of the most Wanted Iranian 
cybercriminals with the idea to help law enforcement and to inform the security industry and to 
ensure that the cybercriminals behind these campaigns can be properly tracked down and 
prosecuted. 


I can be reached at dancho.danchev@hush.com 


In this OSINT analysis I'll provide actionable intelligence including personally identifiable 
information some of FBI's Most Wanted Iranian cybercriminals including Ahmad Fathi, Hamid 
Firoozi, Amin Shokohi, Mohammad Sadegh Ahmadzadegan, Omid Ghaffarinia, Sina 
Keissar, Nader Saedi including the infamous ITSec Team and the Mersad Co. company. 


Personally Identifiable Information regarding Sun Army Team Members including ITSec Team 
and the Mersad Co. company: 


Sun Army Team Members: 
Nitrojen26, Mehdy007, MagicCoder, tHe.Mo3tafA, Plus, BodyGuard 


Sample Network Infrastructure Reconnissance: 
hxxp://sun-army.org - 185.53.179.10 - Email: Sun.Army@asia.com; Lord.private@ymail.com 


Name: Omid Ghaffarinia 

Handle: Plus 

Email: omid.ghaffarinia@gmail.com; plus.ashiyane@gmail.com; 
omid.ghaffarinia@alum.sharif.edu 

Phone: 091 2444 9002 

Web 

Site: http://alum.sharif.ir/~omid.ghaffarinia/; http://alum.sharif.ir/~omid.ghaffarinia/; http://o 
midplus.persiangig.com/; 

Social 

Media Accounts: https://plus.google.com/109226633947780718251; https://plus.google.com/ 
109226633947780718251 


Personal Photos of Omid Ghaffarinia a.k.a Plus: 


Sample Personal Photos from a Train Trip: 


Handle: MagicCoder 
Email: MagicCOd3r@gmail.com 
Web Site: http://magiccoder.ir 


Handle: Mehdy007 
Email: mehdy007@hotmail.fr 
Web Site: http://mehdy007.persiangig.com 


Sample Sun Army Cover Art Photos: 


SUN 


SUN-ARMY.ORG | SUN-ARMY:ORG 


Seytte eh pa hree's Ways 


ITSec Team a.k.a Amn pardazesh kharazmi a.k.a Pooya Digital Security 
Group Members: 
Pejvak, M3hr@n.S, Am!rkh@n, Doosib, H4mid@Tm3l, R3dmOve, Provider, anmadbady 


g 
CEU Sceclecar 


aaa 
IT Security Research & Penetration Testing Team 


Sample Team Member Personally Identifiable Information: 
Name: Amin Shokohi 

Handle: Pejvak 

Email: pejv4k@yahoo.com 

Web Site: http://pejv4k.persiangig.com; http://pejv4k.110mb.com 


Handle: Mehr@n.S 
Email: M3hran.S@gmail.com 


Sample Network Infrastructure Reconnaissance: 
http://itsecteam.com/ 


Social Network Graph of Sun Army Team Members including ITSec Team 
Members and the Mersad Co. company: 
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Name: Mohammad Sagegh Ahmadzadegan 

Handle: Nitrojen26 

Email: nitrOjen26@asia.com; Nitrojen26@yahoo.com; me@sadahm.net 
Web Site: hxxp://sadahm.com 

Social Media Accounts: https://twitter.com/nitrojen26 


Sample Personal Photos of Mohammad Sagegh Ahmadzadegan a.k.a Nitrojen26: 


we LH 
inamische Kinderkrebsiuite ¢ ? mS}! 
' ‘ 


Sample Mersad Co. Company Logo: 


> MERSAD 
SLId »o—_—_—_— 


Sample Network Infrastructure reconnaissance: 
hxxp://mersad.co/ - 188.40.112.196 
hxxp://mersadco. ir 


Mohammad's life has strongly tied with programming. After graduation of Computer 
Engineering, he studied IT (E-Commerce) for his Master to know more about the relation of 
business and technology. You can find some large scale software projects managed by him like 
Iran’s SOC, SDIDS, Jolfa Vulnerability DB and etc. Now he is a university lecturer and also CEO 
of Mersad Co. and one of TKJ Co. consultants. Mohammad is here to help you how to manage a 
good develop team and guide you to have better usage of technology to achieve your business 
goals. 


Personal Photos of Mersad Co.CcEO Mohammad Hamidi Esfahani: 


Personally Identifiable Information regarding Mersad Co. Company CEO Mohammad 
Hamidi Esfahani: 


Name: Mohammad Hamidi Esfahani 

Email:'m.hamidi.es@gmail.com 

Phone: 0913-304-7591 

Web Sites: http://www.mohammadhamidi.ir/ 

Social 

Media Accounts: https://www.facebook.com/mohammad.hamidi; https://twitter.com/haj_ma 
med; https://github.com/mohammadhamidi; https://medium.com/@haj_mamed; https://mediu 
m.com/@haj_mamed; https://plus.google.com/++mohammadhamidiEsfahani; 


Sample Mersad Co. Personal Company Photos: 


Dear blog readers, 


I've decided to post a second update to my original FBI's Most Wanted Iran-based 
Cybercriminals post including the original research on Iran's Hacking Ecosystem and the 
second edition of the report with the idea to assist U.S Law Enforcement and the U.S 
Intelligence Community on its way to track down and prosecute the cybercriminals behind these 
campaigns. 


Sample personally identifiable information for Omid Ghaffarinia a.k.a Plus: 
Name: Omid Ghaffarinia 

Handle: Plus 

Email: omid.ghaffarinia@gmail.com; plus.ashiyane@gmail.com; 
omid.ghaffarinia@alum.sharif.edu 

Phone: 091 2444 9002 

Web Site: http://alum.sharif.ir/~omid.ghaffarinia/; http://alum.sharif.ir/~omid.ghaffarinia/; 
http://omidplus.persiangig.com/; 

Social Media Accounts: https://plus.google.com/109226633947780718251; 
https://plus.google.com/109226633947780718251 


Sample Maltego SNA (Social Network Analysis) of Omid Ghaffarinia a.k.a Plus: 


Sample Maltego SNA (Social Network Analysis) of Omid Ghaffarinia a.k.a Plus: 
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Sample personal photos of FBI's Most Wanted Omid Ghaffarinia a.k.a Plus: 
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Remember BakaSoftware? The ubiquitous scareware-serving and distributing money 
laundering scareware affiliate-based network circa 2008? It appears that the time has come to 
expose the actual individuals behind the campaign and the actual network. 


In this analysis I'll discuss in depth the BakaSoftware franchise circa 2008 including in- 

depth and personally identifiable information on the cybercriminals behind it with the idea to 
empower law enforcement and the security industry with the necessary data and information 
that would eventually lead to the prosecution and tracking down of the cybercriminals behind 
BakaSoftware. 


I can be reached at dancho.danchev@hush.com 


Personal Photo of Gavril Danilkin - Founder and CEO of BakaSoftware: 


aq 


Second Personal Photo of Gavril Danilkin - Founder and CEO of BakaSoftware: 


Personally Identifiable Information regarding BakaSoftware's Founder and CEO - 
Gavril Danilkin: 

Name: Gavril Danilkin 

Email: gavril@penza.net; fido@penza.net; doncapone@mail.ru; gavril@sura.com.ru; 
Mobile Phone: 8412631806; 89023537746; 841251-06-02; 841256-49-45; 841276-06-93 
Skype: BakaDialer 

Web Site: http://penza-stroika.narod.ru 


BakaSoftware Social Network Visualization Graph courtesy of Maltego: 


Personal Passport Photo of Gavril Danilkin's father Danilkin Vasily Vasilyevich: 


Second Personal Passport Photo of Gavril Danilkin's father Danilkin Vasily 
Vasilyevich: 
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Malicious and Fraudulent Infrastructure reconnaissance: 
hxxp://bakasoftware.com - 216.240.138.200 - Email: gavril@penza.net 
hxxp://ns1.bakasoftware.com - 216.255.189.139 Email: support@tobesoftware.com 
hxxp://tst.bakasoftware.com - 216.255.189.155 - Email: support@tobesoftware.com 
hxxp://bakasoftware.net - 208.88.227.36; 208.88.227.36 - Email: krab@thekrab.com 
hxxp://bakadialer.com 


Personally Identifiable Information regarding BakaSoftware - TheKrab: 
Name: TheKrab 

Email: marck@gmail.com 

Phone: +7 012-225-5252 

Web site: http://smmprofi.ru/marck 


Personal Photo of a known BakaSoftware Gang Member known as - TheKrab: 


Related Personal Photo of a known BakaSoftware Gang Member known as - 
TheKrab: 


It gets even more interesting to find out that BakaSoftware's Gavril Danilkin is currently 
running a rogue and potentially malicious rogueware and adware distributing affiliate-company 
known as Zaxar Limited. Let's take the time and effort and provide actionable intelligence on 
the infrastructure behind the campaign. 


Related Zaxar Ltd Information: 
Zaxar Limited 


P.O. Box 54922, 

Zip 3729, 

Limassol, Cyprus 

e-mail: secretary@zaxar.net 


Related malicious URLs known to have participated in the campaign: 
hxxp://zxrmedia.com/client/current_version6/cef_extensions.pak 
hxxp://zxrmedia.com/client/current_version6/gameslist.dat 
hxxp://zxrmedia.com/client/current_version6/calling.wav 
hxxp://zxrmedia.com/client/current_version6/cef_100_percent.pak 
hxxp://zxrmedia.com/client/current_version6/devtools_resources.pak 
hxxp://zxrmedia.com/client/current_version6/cef.pak.info 


Fraudulent and malicious rogue network infrastructure reconnaissance: 
hxxp://zaxargames.com - 185.82.210.27; 185.82.210.24; 185.82.210.30 
hxxp://zxrmedia.com - 185.82.210.5; 185.82.210.26; 188.42.129.36; 185.82.210.29 
hxxp://zaxarstore.com - 185.82.210.24 

hxxp://zaxargames.com 

hxxp://zaxarsearch.com 


Related malicious MD5s part of known to have participated in the campaign: 
MD5: 5c60400d7663b9a3fedd93baf0156df9 
MD5: 5dd18f122fbe022e6e366d79d5b2b8a0 
MD5: 225802a12e3aaeb9773b681ebe96bbe7 
MD5: a50ef877e6329d2851de3fd4f49b8f7a 
MD5: c82f177911708cd8373f7d788ced5ef3a 
MD5: 73b48b697e7e09e2325656734eaf9f48 
MD5: 522cb664e0284abf055315d327ff9c6d 
MD5: 225b1ab5889506d39643d736d15fe20d 
MD5: 3ca8378d493d9aa1248359c44cb0eeb8 
MD5: 7c897ce217b05bb1694a924afa34096c 
MD5: 73b48b697e7e09e2325656734eaf9F48 
MD5: 310e8b0e4f6dbd23c74b9fec300a24f6 


Related malicious MD5s known to have participated in the campaign: 
MD5: 225b1ab5889506d39643d736d15fe20d 

MD5: 3ca8378d493d9aa1248359c44cb0eeb8 

MD5: 7b2994888fdf0c08a357cc9c600c2c4d 

MD5: 5b3fcbe6f807 1e9035b8810dd3b0f143 

MD5: 58d9aa76eaed4710e22f835c6c71159e 

MD5: 3d327881d2950c3c7d0a58ecaai5720d 

MD5: 37a90a8afidd4c6b68cd54ddb8c6d37d 


MD5: 409a8c35651363ab2ba8d1d39e257d82 
MD5: 605425d1dbade7c978ebdc313b6312d5 


Related malicious MD5s known to have participated in the campaign: 
MD5: 201cfcfbled6dcaf229073318c4aaf06 
MD5: 8a9b2c23cc50f9798159297d300b0c46 
MD5: 0149de171a6530737b1ae82e9cf9b0cf 
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 
MD5: 36e083ae0d58cb2f342f4cb81d6af88c 
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 
MD5: 0149de171a6530737b1iae82e9cf9b0cf 
MD5: 3092c54065a78ec88122e066bccf6238 
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 
MD5: 0149de171a6530737b1iae82e9cf9b0cf 
MD5: 049684e041281f3f7c90fb75cdc70e09 
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 
MD5: 6d5edf93c1e4a2d1e2e5777884ed326f 
MD5: 8998c75fbd86bb63d4151a810balb4de 
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 


Related malicious MD5s known to have participated in the campaign: 
MD5: 3ca8378d493d9aa1248359c44cb0eeb8 

MD5: 58d9aa76eaed4710e22f835c6c71159e 

MD5: 7b2994888fdf0c08a357cc9c600c2c4d 

MD5: 5b3fcbe6f807 1e9035b8810dd3b0f143 

MD5: 3d327881d2950c3c7d0a58ecaai5720d 

MD5: 37a90a8afidd4c6b68cd54ddb8c6d37d 

MD5 :409a8c35651363ab2ba8d1d39e257d82 

MD5 :605425didbade7c978ebdc313b6312d5 


Related malicious MD5s known to have participated in the campaign: 
MD5: dafeic1189a6fc55800d0874ffd6567c 
MD5: c66d0521a736b73bbd109dedba2da396 
MD5: 6cce70d4d7280c7f3ec913217d2b3293 
MD5: cab53b3a6cc7cd8c0b04e0521770b35c 
MD5: f085905595f59ac025b67c3756babe99 
MD5: 201cfcfbled6dcaf229073318c4aaf06 
MD5: 41c2f3797480a1016741cbaa232da336 
MD5: 6f31fd7b8de723a6e6bab77d22276e47 
MD5: 0cc657e83c5a74b7edcfe0827a976d08 
MD5: 3323e84cf633173db496c2f6402ffd81 
MD5: 265c61469587e932f384e862a0c7065d 


MD5: e9008ecb5da99d71c0541652aa6d5bc6 
MD5: 26570d6bebf71373c25dbf1e53208444 
MD5: e1086a5b5c504b95dda3fbd90758a429 
MD5: 8998c75fbd86bb63d4151a810balb4de 
MD5: 0743c40c4791f4cba8488a4a908f3a57 
MD5: 36e083ae0d58cb2f342f4cb81d6af88c 
MD5: 0357c02fc9fdeff9ad3f78876438256b 
MD5: 3092c54065a78ec88122e066bccf6238 
MD5: laed2fc8ca434c06a6ac90264634769c 
MD5: ebdf43127a54c134bb3b01ce74bb5a42 
MD5: 049684e041281f3f7c90fb75cdc70e09 
MD5: 8a9b2c23cc50f9798159297d300b0c46 
MDS: fai5abd8810b2e9349b7723b7cb1d132 
MD5: 0149de171a6530737blae82e9cf9b0cf 
MDS5: 6d5edf93cle4a2d1e2e5777884ed326f 
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 
MD5: 195377bef6d2b3cb5d56b387fca8ba60 


Related malicious MD5s known to have participated in the campaign: 
MD5: fec37b3989e590d0f3d78c6069bb0ca0 
MD5: 1554933e1243dedb041fec9029ee087c 
MD5: a860ed06f5d6f6ab390edfa39c59b164 
MD5: 61032381f8fb14cac5f9da88651b45be 
MD5: 4d53a34254cbc5723a5fb960fcd4a166 


Related malicious MD5s known to have participated in the campaign: 
MD5: 0357c02fc9fdeff9ad3f78876438256b 
MD5: 201cfcfbled6dcaf229073318c4aaf06 
MD5: 4900e194aaf35456f9b4a97e1ca38d99 
MD5: 8a9b2c23cc50f9798159297d300b0c46 
MD5: 2e4dc797e098104854dc555d93dd084a 
MD5: 0149de171a6530737b1ae82e9cf9b0cf 
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 
MD5: f69ce553ed33506d82e12fabc6f7c67a 
MD5: 6c1a294a9f6cb3279b68551501ca654a 
MD5: fd6e30b879ea2347e1124376b5f2d1cf 


Related malicious MD5s known to have participated in the campaign: 
MD5: dafeic1189a6fc55800d0874ffd6567c 

MD5: c66d0521a736b73bbd109dedba2da396 

MD5: 6cce70d4d7280c7f3ec913217d2b3293 

MD5: cab53b3a6cc7cd8c0b04e0521770b35c 


MD5: f085905595f59ac025b67c3756babe99 
MD5: 201cfcfb1ed6dcaf229073318c4aaf06 
MD5: 41c2f3797480a1016741cbaa232da336 
MD5: 6f31fd7b8de723a6e6bab77d22276e47 
MD5: 0cc657e83c5a74b7edcfe0827a976d08 
MD5: 3323e84cf633173db496c2f6402ffd81 
MD5: 265c61469587e932f384e862a0c7065d 
MD5: e9008ecb5da99d71c0541652aa6d5bc6 
MD5: 26570d6bebf71373c25dbf1e53208444 
MD5: e1086a5b5c504b95dda3fbd90758a429 
MD5: 8998c75fbd86bb63d4151a810balb4de 
MD5: 0743c40c4791f4cba8488a4a908f3a57 
MD5: 36e083ae0d58cb2f342f4cb81d6af88c 
MD5: 0357c02fc9fdeff9ad3f78876438256b 
MD5: 3092c54065a78ec88122e066bccf6238 
MD5: laed2fc8ca434c06a6ac90264634769c 
MD5: ebdf43127a54c134bb3b01ce74bb5a42 
MD5: 049684e041281f3F7c90fb75cdc70e09 
MD5: 8a9b2c23cc50f9798159297d300b0c46 
MD5: Pfai5abd8810b2e9349b7723b7cb1d132 
MD5: 0149de171a6530737blae82e9cf9bOcf 
MD5: 6d5edf93cle4a2d1e2e5777884ed326f 
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 
MD5: 195377bef6d2b3cb5d56b387fca8ba60 


Related malicious MD5s known to have participated in the campaign: 
MD5: 201cfcfbled6dcaf229073318c4aaf06 
MD5: 8a9b2c23cc50f9798159297d300b0c46 
MD5: 0149de171a6530737b1iae82e9cf9b0cf 
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 
MD5: 36e083ae0d58cb2f342f4cb81d6af88c 
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 
MD5: 0149de171a6530737b1ae82e9cf9b0cf 
MD5: 3092c54065a78ec88122e066bccf6238 
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 
MD5: 0149de171a6530737b1iae82e9cf9b0cf 
MD5: 0149de171a6530737b1ae82e9cf9b0cf 
MD5: 049684e041281f3f7c90fb75cdc70e09 
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 
MD5: 6d5edf93c1e4a2d1e2e5777884ed326f 
MD5: 8998c75fbd86bb63d4151a810balb4de 
MD5: 1cc70f8fd134bf7f556fca762a0a8ee7 


Related malicious MD5s known to have participated in the campaign: 


MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 
MDS: 


23e3c313658bae8632bfc3196872daf3 
225802a12e3aaeb9773b681ebe96bbe7 
23e3c313658bae8632bfc3196872daf3 
225802a12e3aaeb9773b681ebe96bbe7 
b37ac11bicba7739eedac8082be6cc51 
cbefcf14b0c24201c2b8eedaaff58738 
89724cced12e644a296cf9db1190ed1f 
12cc90ab2a0a2f0c8d208823aff36ad4 
b2f616daf5512b640a70d3e3cc4c019b 
7dc92f595dbf2a5073a94c2ba3a90ed6 
25700c5457c42eb1ae5185b6f577f8e0 
a236c6ab86df7738ab9a9fda53702a50 
55e705f62af72f54b8819dd504e0b793 
cbefcf14b0c24201c2b8eedaaff58738 
797f1d671eb48c008aa2842cdbe28a91 
cbefcf14b0c24201c2b8eedaaff58738 
93c1a7aa2885ac2b123fc16906ea01e0 
b241d2a0f66a40eb07fbe0bca529e386 
244677c44af4648cea1d3142611dc4c3 
34dc108714b3fb92f41f3efac3e60ba5 
225802a12e3aaeb9773b681ebe96bbe7 
f140fed5014b826c99fdd7429f8afb89 
3d02cbb7ed1c72c2df209a3342b9efed 
86f527fb98672055217428a77e337252 
df393d5e0cc4cdbbd110d2a09cb42983 
894d046c09f338e657ec7828c4c69fc7 
fc60d4b0fce4c4e3779762bce0f5b69d 
f959e44ac691448a31c0e051fd39d2fa 
9cbe8022efc081c5ba3c1f291989277F 


Related malicious MD5s known to have participated in the campaign: 


MDS: 
MDS: 
MDS: 
MDS: 


e6025966d8f72a80884eb7be19d31fcb 
734a9c8b47712d396bcd1562a229517e 
e6025966d8f72a80884eb7be19d31fcb 
9cbe8022efc081c5ba3c1f291989277f 


Related domains known to have participated in the campaign: 
hxxp://syscos15.ru 

hxxp://y9807akgtzcrolb.nidetafzy.ru 

hxxp://syscos19.ru 


hxxp://sendme13.ru 
hxxp://dysy.storial.ru 
hxxp://sendmei2.ru 
hxxp://sendme9.ru 
hxxp://sendme8.ru 
hxxp://syscos30.ru 
hxxp://syscos18.ru 


Exposing Bulgaria's "Kyulev" Compromised Database Leaker and Hacker - An OSINT Analysis 
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dadsagency @tutanota.com 
https://prnt.sc/u57c62 
https://dadsagency.com - 104.27.150.28 

- +359 888758498 

- 16AS0z7GTbfYoexS4DM2LpuNohcM6uPEPd 
hxxp://dadsagency.org - 181.214.86.11 
hxxp://dadsagency.ws 
hxxp://dadsagency.to 

hxxp://reket2021.to 

hxxp://dadsagency.cc 
hxxp://dadsagency.pw 
hxxp://dadsagency.xyz 
https://ghostbin.com/paste/FztLI/dads2021 
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Dear blog readers, 


It's been a while since I've last posted a quality update and I've decided to elaborate more and 
offer an in-depth analysis of Anonymous International's Hacking Collective online infrastructure 
with the idea to assist U.S Law Enforcement and the security industry on its way to properly 
track down and attempt to shut down the infrastructure behind their fraudulent and rogue 
online infrastructure. 


In this post I'll provide actionable intelligence on Anonymous International's Hacking Collective 
online infrastructure and discuss in-depth the tactics techniques and procedures of the 
cybercriminals behind it and offer an in-depth peek inside Anonymous Indonesia 

a.k.a SoraCyberTeam. 


Sample personally identifiable information for members of Anonymous 
International's Collective Indonesia: 


Name: Cyb3r00T 


Personally identifiable information: Email: cyb3r00t.linux@gmail.com; 
SoraCyberTeam@gmail.com including the following Facebook account 
(https://www.facebook.com/Cyb3r00T.go.id) including the following GitHub account 
(https://github.com/soracyberteam) including the following YouTube account 
(https://www.youtube.com/cyb3r00t) including the followinfg Twitter account 
(https://twitter.com/soracyberteam) 


Personal Email: soracyberteam@gmail.com 

Security Cyber Art 

https://www.facebook.com/Cyb3r00t 

Team members of the group include: Tatsumi Crew 


RESIS-07 - ./Cyb3ROOT - AaR999 - Setya404 - ACE666x - B4Dsec - Mr.Adewa - Weak System - 
Kerens.id - Dayy404 ON3R1D3R - Rhythm - xLon3ly - P4kLOnc4t - Azrael - SPEEDY-03 - Rhythm 
- Mr.Swan - Yukiteru404 - xLon3ly - P4kLOnc4t - Jakarta6etar 


Personal Address: Jalan Melati 77 Timur Tengah, Kabupaten Gunung Kidul , DI Yogyakarta, 
77777 


Personal Phone: 087839992377; 6289669511216 
Personal Web Site: https://cyb3r00t.chatango.com 
Personal Web Sites: 

https://www.anonnewsid.cf 
https://twitter.com/anonnewsindo 
https://twitter.com/anon_indonesia 
https://www.facebook.com/anon.indonesia1/ 


Sample Personal Photos of members of Anonymous International's Hacking 
Collective Indonesia: 


Sample Screenshots and Logos of the Anonymous International Hacking Collective 
across the globe: 
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Sample actionable intelligence on Anonymous Internationa's Hacking Collective 
online infrastructure: 


http://anonimandorra.blogspot.com/ 
http://anonopsbrazil.blogspot.nl/ 
http://anonopsibero.blogspot.com/ 
http://anonymouesecuador.blogspot.ca/ 
http://anonymousglobal-news.blogspot.al/ 
http://anonymousrbija.blogspot.ca/ 
http://anonymousvenezuela.org/ 
http://anonyopschile.blogspot.ca/ 
http://anonyvietnam.blogspot.ca/ 
http://opspain-anon.blogspot.ca/ 


http://facebook.com/AnOnymousGT 


http://twitter.com/@AnonsParaguay 
http://twitter.com/ANONYMOUS_CYP 
http://twitter.com/ANON_INDI4N 
http://twitter.com/AnOnymous_GT 
http://twitter.com/Anon4bd 
http://twitter.com/AnonAlgeria 
http://twitter.com/AnonBelgium 
http://twitter.com/AnonBosnia 
http://twitter.com/AnonLegionPt 
http://twitter.com/AnonLegion_Arg 


http://twitter.com/AnonLuxembourg 
http://twitter.com/AnonNic 
http://twitter.com/AnonOpsBolivia 
http://twitter.com/AnonOpsEt 
http://twitter.com/AnonOpsGhana 
http://twitter.com/AnonOps_DO 
http://twitter.com/AnonPhilippines 
http://twitter.com/Anon_Colombia_ 
http://twitter.com/AnonsCambodia 
http://twitter.com/AnonsCuba 
http://twitter.com/AnonyCanada 
http://twitter.com/AnonyMisr 
http://twitter.com/AnonymousAndorr 
http://twitter.com/AnonymousAzaadi 
http://twitter.com/AnonymousBDI 
http://twitter.com/AnonymousEst 
http://twitter.com/AnonymousKenya1 
http://twitter.com/AnonymousLat 
http://twitter.com/AnonymousNiger 
http://twitter.com/AnonymousNorway 
http://twitter.com/AnonymousOpsZA 
http://twitter.com/AnonymousPeru 
http://twitter.com/AnonymousUganda 
http://twitter.com/Anonymous_139 
http://twitter.com/Anonymous_Gabon 
http://twitter.com/BelarusAnonOps 
http://twitter.com/GreeceAnonNews 
http://twitter.com/KGAnonymous 
http://twitter.com/LegionRussia 
http://twitter.com/Mikolized 
http://twitter.com/Op_ Syria 
http://twitter.com/PalAnonymous 
http://twitter.com/Red_AnonsAL 
http://twitter.com/USAnonymous 
http://twitter.com/Xion_Anonymous 
http://twitter.com/anon_bg 
http://twitter.com/anon_ice 
http://twitter.com/anonfinland 
http://twitter.com/anonmalaysia 
http://twitter.com/anonnewsaut 
http://twitter.com/anonnewsde 
http://twitter.com/anonnewsindo 


http://twitter.com/anonnewsswe 
http://twitter.com/anonops_cl 
http://twitter.com/anonops_eritrea 
http://twitter.com/anonopsbrazil 
http://twitter.com/anonopsnz 
http://twitter.com/anonopspanama 
http://twitter.com/anonsrbija 
http://twitter.com/anonsturkey 
http://twitter.com/anontunisia 
http://twitter.com/anonuk 
http://twitter.com/anonymousCRI 
http://twitter.com/anonymousHaiti 
http://twitter.com/anonymous __fr 
http://twitter.com/anonymous_afg 
http://twitter.com/anonymous_ecudr 
http://twitter.com/anonymous_leb 
http://twitter.com/anonymous_vii 
http://twitter.com/anonymousdjib 
http://twitter.com/anonymouseire 
http://twitter.com/anonymouskazakh 
http://twitter.com/anonymousmexi 
http://twitter.com/anonymoussv_503r 
http://twitter.com/anonymoustibet 
http://twitter.com/anonymousvene10 
http://twitter.com/aze_anonymous 
http://twitter.com/freedom_jordan 
http://twitter.com/legionhonduras 
http://twitter.com/op_israel 
http://twitter.com/operationitaly 
http://twitter.com/opspain 
http://twitter.com/roanonym 
http://twitter.com/vietnam25547557 
http://twitter.com/youranonnewskr 


http://www.anonireland.com/ 
http://www.anonsweden.se/ 
http://www.anonymous-austria.com/ 
http://www.anonymous-japan.org/ 
http://www.anonymous-mexico.com/ 
http://www.anonymousargentina.com/ 
http://www.anonymousgreece.org/ 
http://www.anonymoushonduras.org/ 


http://www.anonymousperu.org/ 
http://www.anonymousvideo.eu/ 


http://www.facebook.com/anon.afghanistan 
http://www.facebook.com/anondz 
http://www.facebook.com/pages/Anonymous-Bahrain/483658458364187 


https://anonbd.wordpress.com/ 
https://anonybulgaria.wordpress.com/ 
https://ar-ar.facebook.com/Jo.Anonymous 
https://ar-ar.facebook.com/TheAnonymousTN 
https://de-de.facebook.com/OfficialAnonymousGermany 
https://es-la.facebook.com/AnonOpsPTY 
https://fi-fi.facebook.com/AnonFin 
https://ko-kr.facebook.com/YourAnonNewsKR 
https://pt-pt.facebook.com/AnonymousPORTUGAL 
https://ru-ru.facebook.com/anon.rus 
https://tr-tr.facebook.com/AnonymousTurkey 
https://twitter.com/anonsworldwide 
https://we.riseup.net/anonymouscr 
https://www.anonymousbitesback.com/ 
https://www.facebook.com/AnonBelgium. Official 
https://www.facebook.com/AnonEstonia 
https://www.facebook.com/AnonNorway/ 
https://www.facebook.com/AnonOpsBolivia 
https://www.facebook.com/AnonOpsColombia 
https://www.facebook.com/AnonOpsIndia 
https://www.facebook.com/Anonymous-Ghana-265231080209926/ 
https://www.facebook.com/Anonymous.France 
https://www.facebook.com/Anonymous. Italy 
https://www.facebook.com/Anonymous.Palestine 
https://www.facebook.com/Anonymous.cy 
https://www.facebook.com/AnonymousBosniaAndHerzegovina 
https://www.facebook.com/AnonymousLuxembourg 
https://www.facebook.com/AnonymousMalaysiaOfficial 
https://www.facebook.com/AnonymousNi 
https://www.facebook.com/AnonymousPakistanOfficial 
https://www.facebook.com/AnonymousPy 
https://www.facebook.com/AnonymousUnitedKingdom 
https://www.facebook.com/EgyptianAnonymous 
https://www.facebook.com/OffiziellAnonymousIndonesianPage 
https://www.facebook.com/Plataforma-Anonymous-Cuba-226582710828872/ 


https://www.facebook.com/Protectors42 
https://www.facebook.com/anon.aotearoa 
https://www.facebook.com/anon.azeri 
https://www.facebook.com/anon.belarus 
https://www.facebook.com/anon.burundi 
https://www.facebook.com/anon.cambodia 
https://www.facebook.com/anon.djibouti 
https://www.facebook.com/anon.eritrea 
https://www.facebook.com/anon.ethiopia 
https://www.facebook.com/anon.gabon 
https://www.facebook.com/anon. haiti 
https://www.facebook.com/anon.iceland 
https://www.facebook.com/anon.kazakh 
https://www.facebook.com/anon.kenya 
https://www.facebook.com/anon.kyrgyzstan 
https://www.facebook.com/anon. latvia 
https://www.facebook.com/anon.niger/info?tab=page_info 
https://www.facebook.com/anon.nigeria 
https://www.facebook.com/anon.syria 
https://www.facebook.com/anon.tibet 
https://www.facebook.com/anon.uganda 
https://www.facebook.com/pages/ANONYMOUS-ISRAEL/121979864536088 
https://www.facebook.com/pages/Anonymous-Australia/115255878563965 
https://www.facebook.com/pages/Anonymous-Canada/239495832751153 
https://www.facebook.com/pages/Anonymous-El-Salvador/255921191133350 
https://www.facebook.com/pages/Anonymous-Lebanon/288936747838543 
https://www.facebook.com/pages/Anonymous-South-Africa/225701994125557 
https://www.facebook.com/pages/Anonymous-USA/449832118436156 
https://www.facebook.com/phanonymous 


